 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Hello everyone, welcome back to the live CUBE coverage here in Boston, Massachusetts for AWS Amazon Web Services Reinforce. They're an inaugural conference around security. I'm John Furrier, Dave Vellante. We've got two great guests from Splunk, CUBE alumni's. And also we do theCUBEcovers.com, their annual customer conference. Hyan Song, SVP general manager of security market. Oliver Fredworth, vice president of security products. Formerly with CUBE, you sold to Splunk doing security phantom which was mentioned in the partner summit. So congratulations. It's great to see you guys. Thank you. Thank you for having us. So you guys are a really great example of a company that's been constantly innovating on top of AWS as a partner, differentiating, continuing to do business and been successful. All the talk about Amazon could compete with partners has always been that myth. You guys have been operating successfully, the great customers on AWS. Now you have the security conference. So now it's like a whole new party for you guys. As you don't go to have to reinvent anymore, certainly the big event. What do you guys think about all this reinforced focus? First of all, I'm just super impressed. The size, the scale and the engagement from the ecosystem that they have over here. And I think you mentioned we've been really partnering and being successful. I think the secret is really about just be very customer focused. It's about what the customer needs is not what just each of us are need. And when we have that focus, we know how to partner, we know how to engage. One of the examples that we have here is we're partnering up as the captor of flag exercise and it's powered by Splunk. It's put up by AWS Reinforce. And we wanted to bring the best user engagement, the gamification of learning to this audience. And there's a demand for a security conference because a new breed, a new generation of engineering and enterprises as they move to DevOps with security. All those same principles now apply, but the stakes are higher because you got a shared data. You got to get the data. It's the data driven problem. You guys I think announced that, I think four years ago at .conf the cybersecurity focus. Now it's front and center, mainstream. Very much so and I think for us, security is a big part of our user conference too. But we're getting inspirations from these events and how we can further really amplify that message for our customers. But we're just so glad we're part of this. Thank you for having us. Oh well, we're glad. We love covering a big success story. Oliver, I want to get to you on the phantom. Yesterday was mentioned in a great demo of the security hub. Security hub is the big news here. One of their major announcements. What is the security hub? Yeah, so security hub, and you're right, it was just announced that it reached general availability, which means it's available now to the rest of the world. It's a place to centralize a lot of your security management in AWS. So when you have detections or Amazon calls them findings coming from other security services, they're centralized in security hub where you can then inspect them, take action, investigate them. And one of the reasons we're here is we've established an integration with security hub where you can now take a finding coming from security hub, pull it into Splunk Phantom and run an automation playbook to be able to, at machine speed, take action on a threat. So typically, if you're a human, you're looking at an event and you're deciding, what do I do? Well, I might want to go and suspend an AMI or go and move that AMI or change the access control group to a different access control group so that AMI can only communicate with a certain protected network if it's infected. Automation lets you do that instantaneously. So if you have an attacker who unfortunately may have gained control of your AMI, this allows you to react immediately, very, very quickly to take action in that environment. And this is where the holes are in the network. And it's an industry of errors. SBBuckets sitting out there, someone just didn't configure it now, they're like, they could be out there. No one knows. Exactly. They could be just tired, they didn't configure it properly. But you guys were in the demos. I want to get your reaction out because I was sitting in the room, they highlighted phantom in the demo. That's right. And so that was super important. Talk about that integration. What's actually going on under the covers there? Yeah, so at a basic level, we're pulling findings through the Security Hub API into the automation platform. And then at that point, a playbook kicks off. And a playbook is basically, think of it as a big if this, then that statement. You see a thread and you go and take a number of actions. You might go and block a port. You might go and suspend that on me. You might go disable a user. But you basically build that logic up based on a known thread and you decide, here's what I'm going to do when I see this thread. And I'm going to turn that into a codified playbook that you can then run very rapidly. On the back end, we've had to integrate with a dozen other APIs like EC2, S3, guard duty, and others to be able to take action in the environment as well to remediate threats. Like changing the access control list or group on a resource, right? So it's closing that end-to-end loop. Hold on, Dave, one quick question on that follow up. Then the CISO came in from Capital One, and it was off the record, but this comment was not really a sensitive comment, but I want to highlight and get your both reaction to this. He says, in terms of workforce and talent, mentality, because the question came about talent and whatnot, he sees the shift from better detection to better alerts because of some of the demos and implying, kind of connecting the dots that the trend is to automate the threat detections the way you guys have demoed with Phantom. And then he was tying it back to, from a resource perspective, it frees his team up to do other things. This is a real trend. You agree with that statement? Absolutely. I mean, honestly, we believe that we can be automating up to 90% of the level one analysts, right? There's a lot of routine route work that's done today in the SOC, and it's unforgiving. Nobody wants to be a tier one analyst. They all want to get promoted or go somewhere else, right? Because it's literally a wraparage. It's boring and it's repetitive. He's just automating it. Who wants to do that? So if we can automate that, we can free up about 50% of the analysts time to actually focus on proactive activities, things that actually matter, like hunting, research and other development, writing countermeasures versus the continually, keeping up and drinking from a fire rose. So I wonder if we can talk about how Splunk has evolved. I mean, you guys started before Cloud, which came in 2006 and then really took off later. Before the sort of big data craze, and you guys mopped up in big data. You never really used that term in your marketing, but you kind of became the big data leader, de facto. You got to an IPO, actually relatively, by today's comparison, small raises, right? So it's a fairly successful story. Very capital efficient. But then the Cloud comes in and you mopped up on-prem. How would you describe how the Cloud has changed your strategy? Obviously, you've gotten acquired companies heavily focused on automation, but how would you describe your Cloud strategy and how has that changed Splunk? That's a great question. I think the fact that you have so many people here just tells you that the whole industry is going through this transformation, right? Not only the digital transformation, the Cloud transformation, and I'm glad you mentioned sort of all route. It's all about big data. And nowadays, security in many ways is actually more about data than anything else, because the data represents your business and how you protect your data, how do you leverage the data represents your security strategy. The evolution for us when sort of zero that into Cloud is we have really been a very early adopter of Cloud, we've been providing Cloud services for our customers from the very sort of beginning I would say at least six years ago when we introduced the product called Storm and we continue to evolve that as the technology evolve, we evolve that with customers. So nowadays, you'll probably know Cloud is one of our fastest growing segments of our business. The technology team has been really innovating, really, really fast. How do we take a technology that we built for on-prem? How do we rebuild it to be Cloud native, to be elastic, to be secure in the new way of DevOps? Those are some of the super exciting things we're doing as a company. And on the security side, we're also, how do we help customers secure a hybrid world? Because we truly believe the world going to stay hybrid for a long, long time. And we have companies like AWS really sort of pioneering and focusing and doing things great for the Cloud. We still have a lot of customers who need companies and technologies and solutions like what's going to bring in to bridge the world. I want to get you guys thoughts on some comments we've had with some CISOs in the past and I really can't see their names publicly but one of them, she was very adamant around integration. And now when you deal with an ecosystem, integration has been a big part of the conversation. And the quote was on integration, have APIs and don't have it suck. And we evaluate people's integration based upon the quality of their APIs. Implying that APIs are an integration point. You guys have a lot of experience with APIs. Your thoughts on this importance of integration and the roles that APIs play because that's, again, feeds automation. Again, it's a key central component of the conversations he says. Integration, your reaction to that. So maybe I'll start. I would say we would not have had the success of Phantom Cyber or the SOAR market if not for having those APIs. Because automation was not a new concept. It's been tried and probably not succeeded for many times. And the reason that we've been experiencing this great adoption of success with Phantom technology is because the availability of APIs. I think the other thing I would just add, I'm sure he has a lot of experience in working that. Splunk was always positioned ourselves as we want to be the neutral party to bring everything together. And nowadays we're so glad we're doing the integration not only on the data side, which is still important. Bring the data, bring the dark data and shining a light on top of that, but also turning that into action through this type of API integration. So good investment betting on integration years ago. Early on. We also change our culture. We're privileged to say how many apps we have in North Splunkbase. Now with Oliver being part of the team, Phantom being part of the portfolio, we say how many apps and how many APIs we have to integrate. That's a change of metrics. All right, Oliver, that's up to you now. I'm sure you know where you stand on this. APIs being re, it's a renaissance of APIs going to the next level. There's a lot of new things going on with Kubernetes and other things. You've got state now, you've got stateless, which is classic REST APIs, but now you've got state data. It's going to play a big role. Your thoughts on that, don't make the APIs suck and we're going to evaluate vendors based upon how good their API is. Yeah, I think, look, it's a buying decision today. Like it's a procurement decision whether or not you have open APIs, right? I think buyers are forcing us as an industry, as vendors to have APIs that don't suck. You know, so we're highly motivated to have APIs that work well. I feel like a T-shirt ready to come out. That's a good idea. The CUBE API is coming, by the way. What does that mean, to have APIs that don't suck? So a great definition I heard recently was the API that you use as a vendor to interface with your product should be the same API that customers can use to interface with your product. And if all of a sudden they're different then you're offering a lesser API to customers, that's when they start sucking. So as long as you're eating your own dog food, right? I think that's a good definition. So it's not neutered, it's as robust and as granular. Exactly, exactly. And I think, look, 20 years ago there were no APIs in security. To do what we do today to automate all of this security response techniques that we do today, it wasn't even possible. We had to get to a certain level of API availability to even get to this stage. And today, again, unless if you're a black box people aren't going to buy your product anymore. Yeah, so again, go to the next level is visibility is another topic. So if you open the APIs up, the data's getting better so therefore you can automate the level one alert, threat detections, move people up to better alerting, better creativity, then there's the question, at what point does the visibility increase? What has to happen in the industry to have that total shared environment around data sharing because open APIs implies sharing of data. Where visibility could be benefited greatly. Yeah, I think visibility is really the key. You can't measure what you can't, you can't manage what you can't measure and you have to see everything in your environment, your assets, users, devices, and all of your data. So visibility is essential. And it comes in a number of forms. One is getting access to your policy data, your configuration data, seeing how are my things configured? What assets do I have? Where are my S3 buckets? How many AMIs do I have? Who owns them? How many accounts do I have? And I think that was one of the challenges before probably the last three to four years, before that period enterprises were setting up a lot of these shadow cloud environments because you could buy Amazon with your credit card essentially, right? So that was one of the problems that we would see in the enterprise when a developer would go and create their own Amazon environment. So getting visibility into that has really been, I think, a big advancement in the last few years of finding those things. They've birthed a multi-cloud. Yeah, it doesn't make it easier. So we were talking earlier on our intro, Dave and I on the keynote analysis around how you can configure it, you can secure it, and then we were riffing on the DevOps movement, which essentially decimated the configuration management landscape, which was at that time a provisioning issue around developers. They'd have to essentially stand up and manage the network and go in, make sure the ports are all there and they got load balances are in place and that was the developer's job. Infrastructure as a code took that away. That was a major and bottom hierarchical needs that was the lowest level need. Now with security, if DevOps can take away the configuration management infrastructure as code, it's time for security to take away a lot of the configuration or security provisioning, if you will. So the question is, what are some of those security provisioning, heavy liftings tasks that are going to be taken away when developers don't have to worry about security? So as this continues with cloud native, it becomes security native. As a developer, I don't want to get in and start configuring stuff. I want the security thing to magically, security as code as Dave said. Where are we on that? What's your guys' thoughts on getting to that point? Is it coming soon? Is it here now? What are some of those provisioning tasks that are going to be automated away? Yeah, I think we've made a lot of progress in that area already. The ability to simply configure your environment that Amazon has continued to add layers of check boxes and compliance that allow you to configure the environment far more seamlessly than having to go down into granular access control lists and defining a granular access control policy on your network ports or AMIs, for example. So I think the simplification of that has improved pretty dramatically. And even some of the announcements today in terms of adding more capabilities to do that encryption by default. I don't have to go and configure my encryption on my data at rest, it's there. And I don't even have to think about it. So if someone steals a physical hard drive, which is very difficult to begin with out of an Amazon data center, my data is encrypted and nobody can get access to that. I don't even have to worry about that. So that's one of the benefits that I think the cloud adds is there's a lot of default security built in that ends up normalizing security and actually making the cloud far more secure than traditional corporate environments and data centers. Well, I still think you have to opt in though, right? Isn't that what I heard? Opt in, yes, I would just add to that. I think it's like a rising tide, right? So the cloud is making a lot of the infrastructure side more secure, more native, and then that means we need to pay more attention to the upper level applications and APIs and identities and access controls. I think the security team continue to have a lot of jobs, right? Yesterday they said, well, not only we need to do what we need to do to secure the AWS, we also now get involved in every decision all the other functions are doing, taking new sort of SaaS services. So I guess message is the security professional continue to have jobs and your job going to be more and more sophisticated but more and more relevant to the business. So that's, I think it's the change. So question, so Oliver, you described sort of what a good API experience is from a customer perspective. Hi Ann, you talked about hybrid. Can you compare the on-prem experience with the cloud experience for your customers and how are they coming together? You want to try that first? Okay, so I think a lot of the things that people have learned to protect or defend or do detection response in the on-prem world is still very relevant in the cloud world. It's just the cloud world, I think it's now really transforming to become more DevOps centric. You know, how you should design security from the get-go versus in the on-prem world was more, okay, let's try to figure out how to monitor this thing because we didn't really give a lot of thoughts to security at the very beginning. So I think that is probably the biggest sort of mentality or paradigm shift. But on the other hand, people don't go and just flip into one side versus the other and they still need to have a way of connecting what's happening in the current world, the current business, the one that's bring home the bacon to the new world that's going to bring home the bacon in the future. So they're both really important for them. And I think having a technology as AWS and their whole ecosystem that all embracing the hybrid world and the ecosystem play, no one sort of single vendor going to do all of them and pick the right solutions to do what you do. So in security, I think it's, you're going to continue to evolve to become more when the security is built in, what is the rising tide that's going to dictate the rest of the security vendors do, right? You cannot just think as 10 years ago, five years ago, even two years ago. So that bolt-on mentality in the first decade of the millennium was a boon for Splunk. It was like beautiful because we had to figure out what happened and you provided the data to show that. How does Splunk differentiate from all the guys that are saying, oh yeah, Splunk, they're on prem. We're the cloud guys. What's your story there? So our story is, you can't really sort of secure something if you don't have experience yourself, right? Splunk cloud is probably one of the top, I don't know, 10 customers of AWS. We live in the cloud, we experience the cloud, we use the word drink, you know, like eat our own dog food. We like to say we drink our own champagne, if you will. So that's really driving a lot of our technology development and understanding the market and really build that into our data platform, build that into our monitoring capabilities and build that into the new technologies. How it's all about streaming. It's not about just somebody sending your information. Is it about in the hybrid world, how do you do it in a way that you, we have a term called the distributed data fabric search because data is never going to be in one place or even in sort of one cloud. How do we enable that access so you can get value? From a security perspective, how do we integrate with companies and solutions that's so native into the cloud? So you have the visibility, not at the bull down, but from the very beginning. So you're saying that cloud is not magic for software company, it's commitment and it's a cultural mindset. Absolutely. Guys, thanks so much for coming on. Great to see you. We'll see you at .conf, the cube will be there this year again, I think for the seventh straight year. Oliver, congratulations on your product success and mention as part of AWS security hub presentation. Good stuff from Splunk. Splunk is inside the cube, explaining, extending the signal from the noise from one of the market leading companies in the data business, now cybersecurity. I'm Chairman Dave Vellante, we'll be back with more cube coverage after this short break.