 Live from Washington, D.C., it's theCUBE. Covering.conf 2017, brought to you by Splunk. Well good morning, welcome to day two, Splunk.conf 2017 here in Washington, D.C., the CUBE, very proud to be here again for the seventh time, I believe this is. John Walsh of Dave Vellante. Good morning, sir, how are you doing, David? I'm doing well, thank you. Did you have a good night? Yeah, great night. DC, I know your son's here in town. The district a little bit, yeah, it was good. It's good to have you here. Don't get the party last night, upstairs. Talk to a few customers, trying to find out what they didn't like about Splunk, and it was not a lot of things. That would be a short conversation, I think. It was, it was. We got a couple of keynote rock stars with us this morning. Hi, I'm Song, who is the Senior Vice President of Security Markets at Splunk. Hi, I'm good to see you again. Great to see you, too. Thanks for coming back, I'm Monzi Mercip, who was the head of cybersecurity research at Splunk, and thank you for having me. Monzi, commanding the stage with great acumen today. Good job there. Thank you. Yeah, we'll get into that a little bit later. But first off, let's just kind of set the table here a little bit. I know this is a bit of a transformational year for you in terms of security, in how you're building out your portfolio and your services. And so, kind of walk us through that. What are you doing high in terms of, I guess, being available, right? For whomever, whenever, wherever they are, and their security journey, you might say. Journey is the keyword this year. And Nerve Center is another one that I highlighted at my super session yesterday. So, when I reflect on, this is your seventh year, and when I reflect on the last three years, right? We came in and really talked about the enterprise security product in the first year. And second year, we talked about, you know, how UBA adds to the capabilities for better detection and machine learning. We introduced different features. This year, we didn't start the conversation on, here's a new feature. This year, we started the conversation on, you need to build a security Nerve Center. That's the new defense system. And there's a journey to get there. And our role is to enable you on that journey, every step of the way. So, it's a portfolio message, and not only for the very advanced customers who want machine learning, who want to customize the threat models, also for people who just started to say, I have the data, and help me get more insight into this. Or help me understand how leverage machine data across domains to really correlate and connect the dots and do investigations. Or what are these important things to set up the basic operations? Very, very excited about the ability, transformational year, as you mentioned, that we can bring the full portfolio to our customer. So, Monzi, you said in your keynote today, defenders can succeed. We talked off camera, you're an optimist. And all we need is this Nerve Center. So, to date, has that Nerve Center been missing? Has it been there, and people haven't been able to take advantage of it? Have the tools been too complicated? I wonder if you could unpack that a little bit. I think what's happened over the course of many years, as the security ecosystem matures and evolves, there are a lot of expert technologies in a variety of different areas. And it's a matter of bringing those expert technologies together. So, the operations teams can really, really take advantage of them. It's one thing to have a capability, but it's another to leverage that capability along with another capability, combine the forces together. And really, that's the message, that's Ayanne's message, that's been there for the Nerve Center that we can bring together. And so, when I say the defender has an advantage, I mean that because I feel that the operations teams, the IT teams, as well as the security teams have laid out a path. And the attacker cannot escape that path. You have to walk down a certain path to get to something to achieve or to steal or to do whatever damage that you need to do. So, when you have a Nerve Center, you can bring all the instrumentation that's been placed along those path to make use of it. So, the attacker has to work within that terrain. They cannot escape that terrain. And that's what I mean is the Nerve Center allows for that to occur. Now, you guys have talked for a long time about bringing analytics and security, those worlds together. We've always been a big, obviously, proponent of that. Spending is just starting to shift, right? There's still spending a lot of money on the perimeter. I guess you have to. We all see the numbers, security, investments continue to increase. But where are we today with regard to analytics and being able to proactively both identify and remediate? So, I just echo what you just said. I'm so pleased to see the industry started the shifts. I think being analytics driven is really top of mind for people. And using machine learning automation to help really speed up the detection and even response are top of mind. We just did a CISO customer advisory board on Monday. And we always ask when we start the meetings that tell us your top of mind challenges. Tell us your top of two investment and what's the recommendation for Splunk? And better, faster response, better, faster detection and automation and analytics is top of mind for everybody. So for us, this year extremely, extremely happy to talk about how we're completing that narrative for analytics driven security. Yeah, and well, on that point, you talk about analytics stories and filling gaps, putting an entire narrative together so that somebody could do soup to nuts and they can see exactly where intrusions occurred, what steps could be taken, so on and so forth. So, I mean, dig a little deeper on that for us. Maybe, Monzy, you can jump on that about what this concept of analytics stories and then how you're translating that into your workplace. We thought about this for quite some time in terms of drilling down and saying, as analysts and practitioners, what is it that we desire? The security research team at Splunk is composed of people who've spent many, many years in the trenches. So what do we want? What did we always want? And what was hard? And instead of trying to approach it from the perspective of, let's just connect the dots, really take an adversarial model approach to say, what does an adversary actually do? And then as a defender, what do I do when I see certain things happening? And I see things on the network. I see things on the endpoint. That's good and a lot of people talk about that. But what do I do next? As the analyst, where do I go and what would be helpful to me? So we took this concept of saying, let's not call them anything else. We actually fought over this for quite some time, said, well, you know, these are not use cases because use case has a very different connotation. We wanted stories because an adversary starts somewhere, adversary takes some action. The defender may see some of that action, but then the defender carries on and does other things. So we really had this notion of a day in the life. And we wanted to capture that day in the life with the perspective of what's important to the business and really encapsulate that as a narrative so that when the analysts and security operations teams get their hands on this stuff, they're not bootstrapping their way through the process. They have a whole story that they can play through and they can say, and if it doesn't make sense to them, that's okay. They can modify the story and then have a complete narrative to understand the threat and to understand their own actions. So we hear the stat a lot about how long it takes for organizations to identify an intrusion. It ranges, I've been seeing service now flash in 191. I've seen it as high as 320. I'm not sure there's clear evidence that that number is compressing. I think it's early days there, but presumably analytics can help compress that number. But when I think about things like zero day signatures and other very high tech factors that are decades old now, can analytics help us solve those problems? Can the technology, which kind of got us into this mess, get us out of the mess? That's such a great point. It is the technology that just made our life so much easier as living and then it complicated so much for the security people. I'll give you a definitive yes. Analytics are there to help detect early warning signs and it will help us, may not be able to just change the stats right now for the whole industry. I'm sure it's changing stats for a lot of the customers, especially when it comes to remediation. The more readily available the data is for you when you are sort of facing an incidence, the faster you can get to the root cause and start remediate. That we have seen many of our customers talk about how it was going from weeks to days, days to hours and that includes not just technology, but also process, right? Process streamline and automating some of the things and freeing up the people to do the things that they're great at versus the mundane things, try to collect the information. So I'm also a glass half full person, optimist. That's why we work together so well. That we really think being data driven, being analytics driven, it's changing the game. What about the technology of the malware? I think it was at a dot com. I think it was 2013. One of your guest speakers gave us an inside look at Stuxnet. Of course, by then it was seven, eight years old, right? But it was fascinating and you read more about it and you learn more about it and it's insidious. Has the technology on the defender side, I guess was my real question, accelerated to keep up with that pace? Where are we at with the bad technology and the good technology? Are they in a balance now and equilibrium? I think it's going to be a constant evolutionary process. It's like anything else, whether you look at thieves or whether you look at people who are trying to create new innovative solutions for themselves. I think the key, this is the reason why I said this morning, is that defenders can have, I think I said, unfair advantage, not just an advantage. And the reason for that is that some of the things I talked about with analytics and with the availability of technology that can create a nerve center. It's not so much so that someone can detect a certain type of threat. It's like we know the low fidelity sort of perturbations that cause us for an alarm, but there's so many of those that we get desensitized. The thing that's missing is how do I connect something that is very low threshold to another thing that's very low threshold and sequence those things together and then say, you know, combined, all of this is a bad thing. And one of my colleagues uses this example, you know, I go to the doctor and I say, you know, have I got this headache for a long time? And the doctor says, don't worry, you don't have a tumor. And it's like, okay, great, thank you very much. But I still have this headache. And so this is why even in the analytics stories, we use, and even in UBA and in enterprise security, we don't use the concept of a false positive. We use the concept of confidence. And we want to raise confidence in a particular situation. And which is why this analytic story concept makes sense is because within that story, the confidence keeps raising as you go farther and farther down the chain. So it's a confidence, but also married, presumably through analytics, with a degree of risk. Right, so I can understand whether that asset is a high value asset or John's football pool, something like that. It's going very well right now, by the way, yeah. Bring it on, I'm very happy. You guys have come out with some solutions for ransomware. I tweeted out this morning that I was pleased at .conf that we're talking about analytics, analytic driven solutions to ransomware, not just the typical, when we go to these conferences, the air gap, yeah. Somebody tweeted back to me, said, Dave, until we see 100% certainty with analytics driven solutions, we better still have air gaps. So I guess I wanted, if you guys could weigh in on, what should people be thinking about in terms of ransomware, in terms of an end-to-end solution? Can you comment? I will add, and so for us, right, just even to follow on the last question you had, the advancement in technology is not just algorithms. It's actually the awareness and the mindset to instrument your enterprise. And the biggest information gap, you know, in an incident's response is, I don't have the data, I don't know what happened. So I think there's a lot of an advancement happened. We did a war game, you know, tabletop exercise. That was the one of the biggest takeaways, oh, we better go back and instrument, or enterprise, or agency. So when something does happen, we can trace back, right? So that's number one. And so ransomware is the same thing. If you have instrumented your infrastructure, your application stack, and your cloud visibility, you can actually detect some of the anomalies early. It's never going to solve 100%. So security is all about layered defense, right? Adapting and adding more layers, because there's no, nobody is really claiming, I can be 100%, so you just want to put different layers and hoping that as they sift through, you catch them along the way. I think it's a question of ecosystem and really goes back to this notion that different people have instrumented their environments in different ways, they deploy different technologies, how much value can they get out of them? I think that's one vector. The other vector is what is your risk threshold? Somebody may have absolutely zero tolerance for air gaps, but I would, as a research person, I would like to challenge even that premise. I've been privileged to work in certain environments and there are some people who have incredible resources. And so it's just a question of what is your adversary model that you're trying to protect yourself against? What is your business model for which you're willing to take over that risk? So I don't think there is a two-hands point. There isn't a single solution for any of these number of things. It really just has to match with your business operation and business risk posture that you want to accommodate. You're almost touching on a point that I did want to hit you up on before you left about choice and it's almost like personal. How much willing, how much risk am I willing to take on? You talk about customization and providing people different tools and so how much leash do you give people? I mean, do you worry that if we allow you to do too much tinkering, you actually do more harm than good? But how do you factor all that in to the kind of services that you're offering? I think that ultimately it's up to the customer to decide what's valuable and what's critical for their business. If somebody wants a complete solution from Splunk, we're going to serve those customers. You heard a number of announcements this week from ES content updates to opening up the SDK with UBA to the Security Essentials app releases and all of those different kinds of capabilities. On the top end of it, we have the machine learning toolkit. If you have experts that want to tinker and learn something more and want to exert their own intuition and energy on a compute problem, you want to provide those capabilities. So it's not about us. It's about the ability for our customers to exert what is important to them and get a significant advantage in the marketplace for their business. I think it's important to point out too for our audience, it's not just a technology problem. It's the security regime in organizations for years has fallen on IT and security practitioners. And we wrote a piece several years ago on Wikibon research that bad user behavior is going to trump good security every time. And so it's everybody's responsibility. I mean, it sounds like a bromide, but it's so true. And it's really, you know, part of the complete solution. I mean, I presume you agree. Totally, going back to the CISO advisory board, one of the challenges they pointed out is user accountability. That's one of the CISO's biggest challenges. It's not just technology is how can they train the users and make them responsible and somehow hold them accountable? I thought that was a really very interesting insight we didn't talk about before. Yeah, you don't want to hear my bad, but unfortunately you do. Well, we were kind of kidding before we got started. We said, we have about an hour to chat. It seems like it was just a matter of minutes. And so thank you for taking time. We could talk an hour, I think. Fascinating subject, and we thank you both for your time here today and a great show. Thank you for having us. It's always a pleasure to be here. You bet. All right, thank you. Hi, and Monzy, back with more. TheCube here at covering.com of 2017 Live in Washington DC.