 Live from the Walt Disney World Swan and Dolphin Resort in Orlando, Florida, it's theCUBE. Covering Splunk.com 2016 brought to you by Splunk. Now here are your hosts, John Furrier and John Walls. Welcome back to .com 2016 along with John Furrier. I'm John Walls and we continue our coverage here on theCUBE, the flagship broadcast of SiliconANGLE TV. Glad to have you with us as we stream live throughout the day, second day of coverage here. Been a big week, a lot of news, a lot of happenings. It's been a big week for a company called Octavio and their co-founder and CEO now joins us, Ron Vardarajan. Ron, good to have you. Pleasure to be here. Yeah, so big week for you, big announcement. Splunk comes in with a serious investment in your company, they announced that on Monday. What, I guess the nature of that relationship, you know, what's the foundation of that and what would this lead to, do you think? Yeah, so to answer the question, let me tell you what we do. It's going to become apparent how this thing all fits together. So we're in the business of protecting enterprises from threats that cross the boundaries and come inside the enterprise. So think of it as a motion detector for your enterprise. You know, firewalls are like locks on doors. So the idea here is anybody that gets past the perimeter defenses, we want to catch them inside the enterprise, you know, to catch them with precision and with speed. So that's what we're all about, you know. So to advance threat defense. So in order to do that well, we actually need a unique combination of technology. So we use deception technology and machine learning to actually solve this problem. And to do this machine learning well, you need lots of data. And Splunk is an ideal partner to actually provide the substrate for us to detect and respond, that's the name of the game. So we want to detect easily. So in order, so we want to set traps properly. So we need data to set intelligent traps. And then we need to help the response of the data properly. So again, we need data for that. And Splunk is a great platform for us to partner. So the data is the key for all this, for you. Absolutely. We are generating net new data that we contribute into the Splunk ecosystem. And we also consume data from Splunk to help us set up better deceptions and to give better response. So let's kind of go back in time, trip down memory lane. We're old enough to know the old days, sit up a honeypot and people come in and you go, okay, there they are. Very simple, simpleton view of the way it was back then. Network traffic really was the issue. And you have a little server and people come on, they attack, they try to attack to the host, attack and you got them. So easy. But right now it's so different now. What's the key thing now that you guys are doing different? Because everyone's throwing the kitchen sink at security. You know, all kinds of different techniques, kind of what's happened, let's go in, prescriptive analytics. Talk about what's different and why you guys see something different in your approach. Yeah, a very good question. So two parts answers to that. The genetic view on trying to use machine learning to solve security problems is to actually collect lots of data, boil it and look for anomalies. And it works, it works well in some environments like when you can model user behavior, like when you are doing card purchases, things like that, where you can have, you know, repeatable data for previous experiences with the user, you can actually figure out what's deviant now from the past. Security inside the enterprise is actually an unsupervised environment. So it's very hard, you can't get data to actually build models for this properly. So if you boil lots of data to trying to find attackers inside the environment, you get lots of false positives. So if you get a lot of false positives, then you're getting a long work order for the sock and then nobody likes it. So the idea is, you know, our whole philosophy is to turn this upside down. So we want the anomaly to announce itself. So that's where deception comes in. So deception essentially, if you do it right, the bad guy comes and knocks on your door. So you actually know that the bad guy is here. I mean, you know that for a near certainty. And now you can pull on the thread and do lots of interesting things to say, where did he come from? What path did he take? And you can actually, you know, try to even project where might he be going and things like that. So that's the whole beauty of the solution is it's turning the thing upside down. It's like, you know, injecting a dye into an MRI to get a bigger, better picture of what you're doing. So that's the whole difference between then all the data science. So we don't want to boil lots of data. We just need to follow a thread. I think the thing that you mentioned that I want to drill down on is interesting. The word unsupervised is really, I think an important concept. And I want to just get your thoughts on this because machine learning is also nuanced, right? You have unsupervised algorithms for machine learning, which is the hardest class of machine learning. You have supervised machine learning, which is very limited. So you machine learning might be a fit if I get this right. So what are you guys doing with unsupervised machine learning? Because how do you get that detection? Is it like a pattern recognition thing? I mean, like, how do you talk about, share your thoughts? Very good questions. So back to your earlier question of, you know, what's different about your honey pots today from the honey pots of old? So the honey pots of old were all, you know, and deception is, you know, being around in nature for millions of years and the military for hundreds of years. So in IT, they've been around for tens of years and, but they've never been productized or industrialized, so to speak. And the problem is, you know, if you go to an IT department and say, please use deception, the IT advisor is going to ask, how many of what do you want me to put where? So they put 10 Unix machines, five Linux machines, you know, what do I run on them? This is all a very complex thing for people to analyze and do by themselves. The other thing that's very important is, tail-ness is the enemy of deception. So if you actually stick a machine there, bad guy runs into it, he knows that that's a deception. The bad guy is definitely coming back a second time because he has no penalty for retrying. And the second time around, he knows that an IP address ABCD is a deception. So he's just going to work around it. So you cannot have stale entities around and hope to catch anything of interest. And you also need to have a lot of density and things like that, otherwise you'll be a buoy in the ocean, nobody will be anywhere near you. So our whole thesis here- So they're smart too, so they're smarter. They are very smart, and so you ought to outsmart them. So in order to outsmart them, you need, what we do is actually create a dynamic environment, and we do something unique called dev ops for deception. So we actually set up the deception dynamically. Deception as code is a new category. Exactly, and without the administrator writing any code, so we can actually set up the deceptions dynamically. And so it can change it dynamically as well. So you, the administrator- So they think they're going to resources the first time, basically. Exactly. So the active directory would be a great example. I think about hacker, I go to the directory, like say active directory. You could use any resource, you could use any resource. You come back a second time, the minefield is different. So you actually have no learnings from the previous time that you can use to advantage the second time. It's like shoots and ladders that game we used to play. Yeah, do you game play out? I mean, like, it's okay, this is what we're doing now. This is the traps we're setting, this is our, and so if I were trying to beat us, something like a football game, right? This is what I would do. And so I'm going to prepare for that. I mean, how far down do you go with that? Because it seems like you've got the right approach now, but tomorrow's a different day. Well, the thing is, as long as we're algorithmically correct in actually figuring out how to lay out new deceptions based upon inputs that we get from various places, thread feeds, maybe underlying data from Splunk, whatever, that helps us set the minefield correctly, we can play this game for a very long time. And so the idea is we are wise to the methods in which attackers are moving from one machine to another. We have attackers in our own staff as well. For example, our chief security architect is one of the most celebrated hackers in the US, Chris Roberts. So I think our algorithms are all tuned to understanding the layout of the enterprise and blending in into the enterprise. And that's where the data comes in, right? So the data Splunk fits in, if I get this right, you create always a zero-state threat deception, meaning like it's always a new environment. Always fresh environment. And you do that because your basically strategy is to be a better cat and mouse game than next guy. Exactly. So you're always out catting, mousing, whatever, who's the cat and the mouse, you create those fresh resources. And the Splunk data gives you new data. Exactly. So you can... Yeah, so Splunk gives us data about the existing state of the enterprise. So we can understand the enterprise, we can understand how to name the decoys, understand how to set them up, what to run on them, so that they blend properly and they don't stand out because the standout attackers are going to avoid you. So you actually have to blend in. So we do the blend-in part very well. And this can work for anything. It can not only for enterprises, it can work even for the home environment. Let me give you a simple example to understand this. You understand the IoT use case. So today at your home environment, for example, if there's an attacker on your home network, you have no idea the attacker is on. But what if your router, for instance, could actually project a dozen fake machines in the enterprise or a fake thermostat or whatever. And you're blissfully doing your own work because you don't even know these other entities exist. You're not querying them. But the neighbor that's on your network actually is going mucking around. They'll actually touch one of these decoys and then bam, your smoke alarm blasts. So let me see if I get this right. So the innovation here is, you can have the ability with new data to create a new deception environment every time. So there's no learning for the behavior. I would imagine from a machine learning standpoint that that would put the attacker into a pattern mode because they are constantly seeking for resource. So it would probably make sense that you could surface that pattern easier because they're almost looping through. If we know patterns that the attackers use, we can set the decoys in clever ways. They'll tell you the patterns. Because their behavior is the pattern, which is unknown to you but can be surfaced because they're only patterns attack. Exactly. And again, that's why the symbiotic partnership that Splunk will actually allow us, if Splunk sees potential mischief happening somewhere, they could even call us and say, hey, how about deploying some decoys over here just to validate a threat, for example. And things like that. So we just figured out the algorithm. So I'm going to go back to my room tonight. I'm actually going to build a system. So are you worried that your secret sauce is out in the open? Not at all. Not at all. So how do you protect the IP now? The IP is, in cryptography, there's a wonderful concept of algorithms and keys. Algorithms can be public. It's actually the key that needs to be secret. So it's not security by secrecy. The algorithms are all well understood. You expect somebody will be able to reverse engineer them. The question is how you deploy those algorithms and how do you seed them? So your methodology is your IP. Exactly. How you do it and how it gets, and the data obviously becomes a moving train for someone, a replicator. So you become inimitable because of the data. Exactly, and so that's all about the detect part. I mean, I think the interesting corollary to the whole story is the response part. So once you know, let's say somewhere a decoy gets touched, how can you help the enterprise with this information? So of course we can promote that to Splunk so Splunk can do wonderful things with it, but we can do independently wonderful things as well. So for instance, we can actually trace the path that that attacker took in order to reach the decoy. Because we know the immediate neighbor already because we were touched by that machine. But then we can go to Splunk and say, what happened on that machine? What sessions were running there? Who are the neighbors that actually have forensics on what you've saw? Incident response, exactly. So we actually go and mine for specific information without having to build an ocean of data. We actually go do some clever data mining and then we use AI techniques to actually plot out a course, a route path, and things like that. So pretty cool stuff. Oh, this is amazing. Like we could go on for hours. I love this whole unsupervised environment. I think that is what I see people struggling right now is that they think machine learning is the panacea for all things. It's not, right? It's not. I mean, in my past life, I ran a company that did risk management for credit card transactions. So it's a supervised learning. We build neural network models. We could predict user behavior. Attacker behavior is not predictable. So it's unsupervised. So you need new tools for this game. And that's what we have. Before we let you go, we heard a lot of dire predictions or dire forecasts or perspectives yesterday about security. We're out man, there's too much technology. We don't have enough brain power, whatever. Big picture and briefly, how do you see it? I mean, can we minimize damage? Can we eliminate damage? Are we swimming upstream? No, no, I think automation and intelligence is the name of the game. The defenses have to be automatically configuring themselves to your environment. If you don't have to actually go physically intervene in order to set up the defenses. So if you can actually set up the automation properly, that's how you're going to win the game. And that's what we can do. I'd like you to come over to my house and set up my router if you don't mind. I mean, more importantly, you should be able to buy it from somebody that's, since you're going to take over. You mentioned industrialization, productizing it really is the key. And I think this is what we were saying in our opening that this new way of doing business is exactly kind of what we're seeing. Exactly. It's got to throw out the old and bring in a whole new approach. Legacy kills you here. Exactly. Legacy, lethargy, staleness is all bad news. Ron, thanks for joining us. And congratulations on the week and best of luck down the road, getting that first product out in the marketplace. Thank you. Good deal. All right, thank you. Thank you, John. Back with more on theCUBE here in just a bit, we're at .conf2016 here in Orlando.