 Back everybody, this is theCUBE, SiliconANGLE's premier flagship TV production. We are live at .conf, 2012, that of course is Splunk's annual user conference. We're in Las Vegas at the lovely Cosmopolitan Hotel. I'm Jeff Kelly with Wikibon.org and I'm joined by my co-host Jeff Frick from SiliconANGLE. Thank you Jeff. Welcome back everybody. Well, we're excited right now because we've actually got the criminal element as entered the cube. So we want to welcome Mark Stewart from the security team at Splunk. Thanks for joining us, Mark. Nice. Happy to be here. Thanks. Mark's great opening line at his keynote was he likes to think like a criminal. I'm surprised he didn't show up with a mask or with a burglar bag on the line. Exactly. The cat burglar bag. You have that vision. Right. Exactly. So we want to jump in a little bit now. It's interesting that you're here now because we had Dan Woods on earlier from Sitco Research and he was talking about how security and I guess threat assessment has changed and people aren't just looking for very simple virus patterns anymore but it's really changing quite a bit because of the sophistication of the attacks. I was wondering if you could give us some of your insight on that. Sure. Well, what I see is the change that you talk about is specifically around customers who are beginning to put together entire scenarios that they're looking for. Not just a specific thing. They're not just looking for an antivirus signature or an intrusion detection signature to go off. What they're thinking about is, well I'll tell you, I actually spoke to a very large candy company in the U.S. not too long ago and they're looking for industrial espionage. They're looking for people who might change the thermostat a couple of degrees in the factory and cause quality problems for their product. Electronically. They would attack them electronically. Wow. They're monitoring the thermostat. They're monitoring who has accessed the facility. They're monitoring the production lines and they're monitoring the quality of the goods that they're producing. When you monitor all those things together, you can begin to see whether or not someone has intentionally or inadvertently, to two degree thermostat change if you're making chocolate can make a big difference in the quality of what you're doing. They're looking at those sorts of things and those actually qualify as security events. Looking for specific types of patterns and using your imagination, because believe me, if you can imagine it, it may happen, so that's imagination and creativity turn out to be very, very important for a lot of our customers and Splunk is really an ideal tool to be able to feed that scenario into, to be able to ask those kind of questions to get answers when you need them. That's terrible. People are attacking the beautiful little ladies at C's Candy that we all love and adore and wear them a little. I didn't mention C's. No, you didn't, but this is my favorite candy store and I'm sure a couple degrees temperature difference would destroy the toffee, which is one of my favorite, but the other thing that Dan said that was interesting was, was defining a new normal and kind of doing this. So what is, what is normal behavior? Because clearly the guy attacking is, is not doing a normal type of behavior. So how does that kind of work in defining average or normal typical activities or behavior? In fact, you really hit on something very important because I was at a, a seminar that where the Chief Security Information Officer from the FBI spoke and when he spoke he said, normative statistical analysis is the most important thing you can do for security. So understanding what's normal and what's not or understanding what's normal and what might not be normal is extremely important. And Splunk has some interesting commands that allow you to look at averages or look at mean or do all sorts of statistical analysis using standard deviation to be able to understand what's happening with your data. For example, if you were to get, if you were to look at some of the URL requests that you make when you're surfing the web, for example, you can actually monitor for ones that are two and a half times the normal length. Because typically if they're that long, they've got some sort of command and control instructions embedded in them by an attacker. So statistical analysis is, is extremely, increasingly important when you're trying to do security investigation or really understand what's going on. And the flexibility you must need because normal, the definition of normal must change over time depending on events in the real world, you know, depending on, you know, if there's a big event, you can expect more traffic to a site or a server or whatever it might be. Sure. How do you keep up with that, those changing environments? Well, you have to, you do have to have some awareness as to what's going on and you raise a good point again where is it normal for a whole lot of finance people to be logging into the finance system at 3 a.m.? Well, that might be normal if it's near the end of a quarter, for example. Maybe they've got a huge workload that they're trying to accomplish. But even then, in the product, you can actually take advantage of functionality that says, okay, I want to see all of this and I want to see the average exclude the last week of every quarter. Or exclude these days when I normally would expect to see a jump in traffic. So you can sort of literally, throughout the top end, throughout the bottom end, scores and just look at what's in between and monitor for changes in that that might be out of the norm. So how does Splunk help, so it helps identifying when something is not normal, when there could be a potential event going. Right. Do you close the loop in terms of helping them then take action? How do they go from using Splunk and identifying, hey, we've got a, we may have a problem here now, are they up, is it up to them, to them basically to go figure out a way to solve the problem or to Splunk help on that as well? Well, Splunk can help out on that as well. So Splunk has a way to allow for the user to write scripts that will allow Splunk to talk to different applications. So another good example that I talked to one of our banking customers who had a product called FireEye, which is being exhibited here. And they also have BlueCote as their proxy server. And BlueCote has a block list built into it. So if you surf to a site that's known to be a malicious website, it'll block you. Well, actually, up to the minute, FireEye is actually looking at all of those and updating a list. So what they've done is they've taken the information from FireEye, put it into Splunk, and then told Splunk, hey, I want you to rewrite the block list on my proxy server in real time, so that then I can have those two solutions talk to each other through Splunk and actually get better performance or extract more value out of the solutions that I have in my environment. Very interesting. So I wonder if we could turn to compliance, because that's obviously a big issue as well. And that's one of the domains you oversee. And that's a big issue in financial services and health care. I mean, there's certainly a number of industries that are very heavily, have to deal with a lot of compliance issues. And I know just released the PCI compliance application. I'll talk a little bit about that and kind of your strategy, top level strategy about attacking compliance issues. Okay, well, I'll go specifically to PCI first, because PCI is very unique. PCI isn't a law. Laws tell you what you shouldn't do. PCI tells you what you should do. So from that standpoint, PCI is very prescriptive. And so if you have a definitive data set, all of the logs of all of the machine to machine or human to machine interactions in your organization, you know what's going on in your entire organization and then you can actually take a look and apply the various controls or requirements in PCI directly to those logs as asking your data questions. And then you can bring back all kinds of interesting information and understand in real time or through continuous monitoring, whether or not you're in compliance with PCI or not, how bad things are, all those sorts of things. And the nice thing about it is that so many solutions are simply a lot of reports that simply get added to an existing solution to support PCI. And Splunk really isn't like that. Nobody wants to wake up the day before the end of a quarter and the day before the auditor comes and get a snapshot audit and say, oh my gosh, I didn't realize I had this many issues. So you want to try to continuously monitor that over time and that's something that really Splunk performs, does very well, does very well. You mentioned medical records in particular and some people fly airplanes, some people are beekeepers, healthcare is kind of a hobby of mine. And healthcare is a very unique kind of situation for compliance because you basically are looking in the rear view mirror for compliance. Because no, I mean, for example, just because I'm not authorized to see someone else's data doesn't mean that I should let them bleed out on the floor if I'm in a healthcare situation. So I'm going to fix the problem and then take a look to see whether or not I was supposed to have access to the data at a later time. But you still want to be able to track that for HIPAA. You need to show that you're actually making, or trying to make sure that those individuals don't have access to records they're not supposed to see. So we can actually measure what's the person supposed to be on shift when they view the records. We can actually figure out whether there's a relationship between the doctor and the patient by linking into HR records and pulling that information for context. We can actually see whether or not there was supposed to be a positive relationship or an affirmative relationship between the healthcare provider and the patient. So if there's no relationship, if the person is not supposed to be on shift, or if there is a family relationship or even a neighbor relationship between these two individuals, Splunk can find all of that out and give that information to you so that later on you can have that important conversation with a healthcare professional to say you really shouldn't have been looking at this data. What were the circumstances around that? Were they indeed bleeding out on the floor or were you indeed doing some data snooping that you shouldn't have been? I'd like to kind of build on that. Not so specific, I'm glad we helped the person that was bleeding out on the floor, but when Michael Wild was here, we drilled on on his brother who was having a beer at a bar in New Jersey. And to see Splunk use the Foursquare data and to zoom in, you know, mapped over the Google Maps and to zoom in on the bar and see the two guys that were having a drink because he didn't bleed out and he's healthy. You know, if my wife saw that, she would be screaming, oh my gosh. Privacy, privacy, privacy. So how does Splunk, you know, kind of deal with and separate, as you just explained, the data that you should be able to see and is okay to see and the data that you're not supposed to see? Well, hopefully you've got safeguards in place that prevent you from seeing things that you're not supposed to see and Splunk fully supports the organization that needs to sort of segregate that data out. We actually have a command in our command language called scrub, which is interesting because what it allows you to do is to substitute a string of random characters in place of specific personal data or specific personal information that shouldn't be seen by another individual. So Splunk does support making sure that the right people only see the data they're supposed to and even if they're sort of inadvertent viewing that if you have a command like scrub in place, you're actually obviuscating the data so that even if there's a mistake, you're not going to see someone else's social security number, you're going to see a string of asterisks, for example, or a string of at signs instead based on your role in the organization and what you're doing. But to your point, we all leave a data trail every day no matter what we do and we all as Americans need to use common sense about using Twitter and about using Foursquare and about what we post on Facebook. If we don't want people to know what we're doing, we need to flip the switch in our own minds to say, well, perhaps I should turn Foursquare off for a little while while I go do whatever I'm going to do or perhaps I should not post this particular picture to Facebook and have everybody inadvertently see it. So we need to take some responsibility for our own privacy first. And then we need adjunct solutions like Splunk to be able to go in and help protect us further from, like I say, inadvertent viewing of personal data. But you talk about another issue too, which is location and realtors use the phrase location, location, location. It's very, very important. Another customer I spoke with was wondering how he could measure for his security awareness program, the fact that his particular policy was not supposed to allow people to tailgate into a building and tailgating, as you probably know, is someone following me into the building. I use my badge and the door is still open. They just follow right behind me. So how can I measure how well my employees are now following that particular policy? And I said, well, there's a couple of ways you could actually do that with Splunk. And the location data comes in very handy because if I have my badge reader data and I have active directory login data and I have VPN data, what would it mean if I saw an active directory local login without badge reader information or without access via VPN? That's gonna mean either one of three things, right? It's gonna mean that either somebody came into the building that wasn't supposed to, or they tailgated and they broke policy, or they were borrowing someone else's credentials, which is probably also against policy, or the worst thing, that machine happens to be compromised. Someone else, someone's gotten those credentials and is remotely using that machine to log into and access other places. So that location data, that physical security data, knowing where a person is or where they're not becomes very handy when you're trying to do security investigations or monitor your security awareness program. Interesting. So you work with a lot of customers that are kind of get the security issues. But I'm curious, what is your take on the understanding out there about the need for more advanced security measures like Splunk helps enable? Where have we come from five years ago to where we are today in terms of organizations actually really understanding the importance of this kind of capabilities, and do you find you're doing a lot of explaining when you go in or are they coming to you saying we understand it, we get it, and we need a solution? Actually, when I first started with Splunk, I was doing a lot of explaining, and I'm amazed at how rapidly that's kind of tailed off. The people kind of get the fact that there's a certain dependency that has sprouted up between the security professional and the security vendor. And where people are looking for the easy button for security, and there is no easy button for security anymore. Attacks have gotten too creative, the attack vectors have gotten too broad, and there really is no way for an individual to simply hit an easy button and give you the instant answer as to what you need to do. And what I've begun to hear from customers tell me is, yeah, I realize I need to start really thinking. I need to start practicing two kinds of creativity that are really important for security professionals. And one is called convergent thinking. Convergent thinking is a creative activity. It's like Michelangelo, Michelangelo's David. He takes a 10-ton block of marble and hacks away at it with a hammer and a chisel until he reveals David underneath. And all of the people who are using Splunk are basically data Michelangelo's. What they're doing is they're hacking away at the data and finding that one nugget inside of there that they're really looking for. So they're practicing that kind of creativity. And then they're also practicing divergent creativity where they wake up in the morning, they're really relaxed, they go into the shower, they take a shower, and in the middle of grabbing the soap, they think, wow, I'd like to go into work today and look for this entire full-blown IT risk scenario. And those two types of creativity are things that Splunk supports very well. The search line and the statistical analysis commands allow you to ask a full-blown scenario of Splunk and get an answer back. And customers are really beginning to realize that understanding the attacker, understanding what the attacker knows, and then reacting in a creative fashion is really what needs to happen for security to sort of evolve and have us all stand a better chance in sort of an asymmetrical world where the attacker only has to be right once. Very cool. So I know we only have a couple of minutes left, just wondering, so what's on the horizon for your group and what are some of the things you're expecting if we're back here next year, which hopefully we will be and what are you, what will we be talking about in terms of security? I'll let you in on a little secret. I've been talking to a lot of customers, a lot of forensics folks, people who deep dive into their data to find out what's going on. And a lot of solutions today out there are in a position where I see something interesting, okay, now I'm gonna go look and see something if that's related to this information over here. Oh, I see it is. I'm gonna go look at this information and then I'm gonna do this and this. That's all a manual process today. And it's within Splunk's capability to automate the forensic mind, so to speak, by taking those sorts of situational awareness, and I'm looking at a situation as a broad set of questions that you wanna ask, that you would ordinarily ask if you were a forensics expert or you were in security. And so what I wanna do is I wanna say, look, we'll just map the mind of the forensics expert. And so that when Splunk sees something, it automatically runs all of the searches that you would like to have and presents you with the information in one consolidated place so you can rapidly make a decision about what you'd like to do next. If you'd like to dive deeper into that or you'd like to dismiss it out of hand because it was relevant or how far those questions took you, all of that is automated for the security professional. And I've talked to at least four or five customers here who are all willing to try to contribute knowledge, their knowledge, their forensic knowledge, to that kind of automation because they realize that speed is everything for security. The faster you can, you can find out something's wrong, the less damage is caused within your environment. So that really is kind of the next thing. And I think that will be something if we talk again next year, and I hope we do, that you'll have a couple of customers actually interview sitting right where I am talking about. Fantastic. That's great. That's great, Mark, thanks a lot. That was tremendous insight. And I hope you out there enjoyed that. You know, the top of the security, I think security is really just a proxy to talk about new ways to look at different sets of data and to combine data and look at relationships and correlations within data in a new and creative way to solve problems. And it just happens to be like to solve the compliance and security problems. So thanks for Mark. Again, you're at theCUBE. We're at Splunk Conf 2012. We've got a full slate of guests lined up for the balance of the afternoon. So we're going to take a short break and we'll see you in just a few minutes. Thanks.