 Live from the MGM Grand Hotel in Las Vegas, extracting the signal from the noise, it's theCUBE covering Splunk.com 2015, brought to you by Splunk. Now, here are your hosts, John Furrier and Jeff Rick. Okay, welcome back everyone, we are live for day two of coverage of .conf 2015 Splunk conference, hashtag SplunkConf, this is theCUBE, SiliconANGLES flagship program, we go out to the events and extract the signal noise. I'm John Furrier, my co-host Jeff Frick, our next guest is Christoph Gingo, head of security at Swisscom, welcome to theCUBE. Thank you very much. Thanks for spending some time, I know you're super busy and we love talking about security, it's a hot topic at the show and in the industry. So it's really been one of those things where we keep on chasing the bad guys, they're penetrating, perimeterless security, these are the buzzwords that are being kicked around. What's your assessment of the current landscape of the security market? I mean, Swisscom, you guys have a lot of infrastructure, I'm sure you're under attack every day, but what's the current state of the security market? So what we see is a shift from the vandals, so the script kiddies going through, let's say organized group, criminals, and then what we see is more and more sophisticated attacks, but we still have a lot of noise with the attack, so we speak about a million attacks a day on the complete network and we assume that there's some of these attacks are already getting through. So ones you don't see? There's ones you don't see, those are millions that you know about. That's you know, exactly. So one of the what's changes from decades to now is that we stated that we assume that we are already breached. So this gives quite another angle to the situation because we say we're not focusing on prevention anymore, we focus on detection and intervention with the detection means that you have to have a good view on the data. And talk about the data because this is the key thing because attacks can come from anywhere, there's also spoofing packets. So you got to understand is the data, what's underneath the data? So take us through the levels of analysis. Is it the network mostly? Is it the applications, is it phishing, all the above? As a telco provider, we have different networks. We have the production environment, so the wireless services and the wireless services and we have our internal network and we have an outsourcing branch. So in the carrier, in the carrier network, we see a lot of things with the mobile devices. So we track all the antennas and save the metadata and we do some analysis on there. So we have done some analytics on even if iPhone is more secure than the Android ones and that's not the case. So we have up to 50% Android which have malware on it and we have iPhones. So what we are doing is we collect just the metadata and we just combine the metadata with threat networks that we know, so botnets and other stuff and we compare it and we do some, get that value out of it to have a good idea on that. So what the iPhone think for a minute because that's a misconception for marketing purposes is that people think the iPhone is more secure than the Android, elaborate on that. It's not what we have seen so far. So the amount of malware on the iPhone is totally equivalent to the Android malware. So there is no, yes it's more secure or less secure, it's equally shared between both. So the last thing, if you want to buy a good phone which is safe, buy an Nokia, an old one which is 10 years old. So that's not possible. It's a dumb phone. It's a dumb phone. I thought you were going to say a Microsoft phone. No, no, no, Microsoft phone. But you can buy an old one with the early ones. We have some malware on that too but it's quite in a half percentage. Well, this is interesting. You bring up the phone, the Nokia phone, I call it joking, an old phone but it's not a smartphone. That speaks to the applications now playing a critical role now in the attacks. It's not just packets. Talk about that comparison. What are you seeing on that? More network attacks, more application attacks. Do you guys have that data? And how much data do you guys grab? So we grab up to five terabytes a day for the networks and just do the indexing with Splunk. The point is that we have both. It's no longer an easy-roar attack. It's a combined attack. So when the attacker comes, try to do some network attacks first to see just to do discovery and then go try harder and go to the application. We had a lot of application attacks especially when you go now cloud container-based stuff where you have the web application stuff. This is, I think, the future that we'll see a lot more in attacks in this area too. And talk about the approach to security. Dave Vellante, my co-host in theCUBE was not here. We do a lot of events and we always talk to folks about security and it comes up as the rhetorical question is is security a do-over? Meaning with the changes in the architectures? Yes. You have kind of no perimeter anymore. You have now API-based calls and apps but you have pre-existing security. So how does do companies and how does security folks evolve the security paradigm? What approaches are you taking? What are you guys, how are you architecting that? Do you share some insight into that? So yes, we can share the insights on that. So one is that we go from a prevention phase to a more detection and innovation phase. This is just on log management stuff but knowing that this is happening, we try to design the system as secure as possible. So we started initiatives on trusted computing. We started initiatives on how to build secure systems knowing that they were breached in terms of checksums, in terms of runtime monitoring and first run. So if you think about all the systems, they have a chipset. All the system have a BIOS and operational system, database and application on top. So we go from bottom to top. In terms of we know that what type of hardware we have, we know what type of operating system and we check the operating system against some predefined values. But we started it one year ago and it's quite good an approach because it reduces the amount of traffic that you will have to inspect with monitoring systems because you know that you are breached at one certain point in time and you can do a self-healing mechanism. So we've got- So you assume the breach. Yes. You look for the breaches. Yes. Versus trying to spend time putting up the little road box and Bob wire, whatever tools you would use. And stress communications. It's like building the dam that always breaks, you know the beavers. But anyway, so I got to ask you about the collaborative security model you've been talking about here at the event. Yes. What is that about? So last year at the dot com 14, we spoke with the executive board of Splunk and tell, well, the problem we have now is not the ingest of data, it's just the ability to execute because of the industrialization of IT, what happens is we have silos. We have silos for the network guys, the database guys, the application guys, the endpoint guys, and they're not speaking with each other. So we'll face the situation that you have isolated view on data and said, okay, so we went through down the path through SIM solution and Splunk, and says, well, Splunk is the central nerve center for us to have all the data at one point. But it will not help as soon as you have to immediately execute and do some remediation because you still have the silos. So you have to go to the network guys trying to tell them something. You have to go to the endpoint devices. And what we are now doing is introducing over Splunk some kind of abstraction layer which helps us to integrate this back channel quite easy. So Christophe, that's a nice segue into something that you've published directly which is this concept of a collaborative security model. I wonder if you can elaborate a little bit more on what that's all about and why is that so important at this point in time? We think that there is no one company who can help us solving our security issues. And what we have seen in the past is that we had a huge amount of time and money to spend to make the systems interoperable between the each other. So the integration part was quite heavy and it was very slow. So as soon as we had a new security vendor, put the system in, bring it up, make it automatically configurable and do the same. It took a while, took six to 12 months. So we are no longer in the position that we can spend six to 12 months in order to execute new stuff. So we had to go to another pass down. Another pass down is to bring the responsibility back to the security vendor in terms of that. He's also responsible for doing the configuration. He's also for the log management and all that stuff. So Splunk started years ago with the technical adapter. So we just extend the technical adapter not only for ingest traffic but also for ingest traffic in terms of configurations things that we can do. And there is at the booth here at Fortinet you can see a demo. So we have a prototype running on that. And you can easily go down, you see an attack and you can fire up a firewall rule without within three clicks. That's the thing we want to do. We want to broaden with all this heavy load of configuration, integration, all that stuff. We want to be smart and quick and fast. Which also begs the question on the machine learning piece because of the volume of the data is so much larger and continues to grow, as you said, and you have to presume that you've already been penetrated. So how do you, what's the role of machine learning and how is that going to change the whole security landscape? I think it will be one of the most critical aspects in the security to have this machine learning in place. So move away from the static attacks to behavior based attacks. That's about the silo. At the moment we were looking at static attacks from network, operating system, databases and so on. Now we collect the data and see what happens. Was there a breach? Was there a lateral movement? Was there additional malware downloaded? Was there exfiltration? So we look at the whole topic and machine learning is an important part of it. So we have the pieces, yes. Right. When you're looking at the behavioral, that's really, you're just looking for things that are out of pattern, right, out of phase. It's really kind of pattern recognition and things that just don't match. Or is behavioral recognition another level down? Is that a deeper level and just kind of simple anomaly detection? So for my opinion, pattern based detection is just screwed. It did not work for the last 25 years. It will not work for the next five years. What is important is that you need to collect the pieces together in terms of small puzzle pieces to make the picture. And you have to combine it and we'll see three areas. We see everything what is identity. So, I mean, try to get credentials, try to log in, try to manipulate, get some privilege escalation so far. This is everything about identity. Then we have the network aspect. The network aspect just shows is there an anonymous, anonymous, abnormal traffic? Sorry for that. You see in the network. So is the traffic, is the behavior of the system still the same as it was half a year ago, one week ago and so on? Do we see anomalies here? And last but not least is the application behavior. So the application behavior is that is the application doing the same thing over and over again? And what we have seen there is that, especially in the endpoint, when you have infected endpoints, they will try to exchange some libraries on the endpoint and suddenly you have extended features to that application. So suddenly you have an additional open port. Suddenly you have an addition communication which is not, it's either easy to detect or really hard to detect. What we have seen so far is sometimes of very, very bad things that they place the data in the flags of the TCP packet. So we call this passive cover channels. So it's very hard to detect this type of stuff. You really have to drill down to the protocol very hard. And there is obvious things, like they're using Tor protocols to exfiltrate data. So these are the easy things. So we see a lot of, we have a vast area that we have to cover. Awesome. So talk about the role of IoT and the role of the carrier because IoT opens up a lot of transit and peering potential opportunities for you guys. So I'm sure you're getting a lot of interest. But yeah, those are packets that go with the network too. And they come from the edge of the network. Now devices could be wearables, phones, machines. So security, privacy, all this stuff is all wrapped around. Can you comment on all those features relative to IoT? So one, another paradigm is that we said the perimeter will be defined by the things you own or you rent, depends. But it's no longer the situation that you say, I have an internet access box, the VDS cell router and there is a bad guy out there and I have my corporate network or my home network inside. So you have the wearables, you have all the stuff, the metering stuff and all that. And we're actually working with companies on how to build a secure controller in terms of knowing what are the devices which are in. So the chips, the memory and all that stuff. And especially in encryption, encryption becomes up as a topic, as a real hard tough topic. And we're actually evolving in this area and try to find out a feasible way of doing it. Encryption by itself will not solve the problem but it will help, it's just a lost control. So if you already have lost control, potentially encryption can help. We're getting the sign here that you got a hard stop and I appreciate you coming on board. But a couple quick final questions. You happy with Splunk? Yes, of course. Because they're doing a good job for you? Yeah. And then finally just kind of comment, general comment on network function virtualization. You guys looking at that at all? Is it relevant? Yes. So we have a project on NFV because we're saying that the telco environment will shift from these proprietary hardware and software pieces from the vendors to software. At the moment, we are working on that project since a year in the cloud environment but there are some issues with performance, integration or orchestration and all these stuff showing up but there is no way back. There is no way back to the specific dedicated hardware from vendors. It will be software at one point in time. And final, final, final question is, what's your goals for the year at Swisscom? You've got a lot going on. You have one thing you want to nail down and achieve this year. What's your goal this year? So the goal this year is the cloud security, it's still there so we will announce in October with Intel together the first provider using trusted computing on a broad base. So we did this for a year. And second is we work on spread intelligence very heavily. So this are the two major goals that we're in. Super exciting, I wish we had more time. Thank you for spending time out of your day to share your insights on what you're working on. Love the iPhone malware thing. Certainly very training there. A lot of stuff going on. Android, iPhone, kind of 50-50, that's good data. And great insights into the collaborative approach. Again, this is, you're on the front lines. So appreciate your time. This is theCUBE. Getting the data and sharing that with you in a very secure way here inside theCUBE here at Splunk.com is live in Las Vegas. We'll be right back after this short break.