 Live from the MGM Grand Hotel in Las Vegas, extracting the signal from the noise. It's theCUBE, covering Splunk.com 2015. Brought to you by Splunk. Now, here are your hosts, John Furrier and Jeff Frick. Okay, welcome back everyone. You're watching Silicon Angles theCUBE. Live at Splunk.com 2015. I'm John Furrier with Silicon Angle. My co-host Jeff Frick. This is theCUBE, our flagship program. We go out to the events and extract the signal from the noise. Winding down day two of two days of live coverage of all the action here in Las Vegas at the MGM Grand. Our next guest is Tony Lee, technical director, security consultant with FireEye. Welcome to theCUBE. All right, thank you. It's good to be here. FireEye big company, went public when huge. Security, big money being spent. But still, always in the news. You're seeing things, Cisco's, routers. They were compromised. Things are being compromised, malware, phishing attacks. What do you do there? You and the red team or the blue team? What team are you on? And give us a taste of what's going on in your world with FireEye. Right, so I'm a technical director for Mandean. So I head up our proactive practice. So we do quite a bit of services at Mandean. So we have the product side of the house, which is FireEye. We've got the services side, which is Mandean. Awesome team. Both of them generate lots of thread and tell, which is really one of our specialties. But I head up the offensive security, internals, externals, web applications, wireless, and red teaming. So yeah, fun job. Take us through what professional services means from a FireEye perspective. So you come in, train the trainer kind of thing. Is it like you deploying, are you setting up modeling? Just take us through what are the professional services that you offer? Right, so we do have the deployment and integration side, which is truly the FireEye product side. But then we also have the Mandean side of the house, which is Incident Response, which we're very well known for, as well as our proactive services. So yeah, I mean, we do have product related services, but then Mandean offers so much more. So what are some of the things that you're seeing out there, use cases that might not be reported in the press, or articles, blogs, that are the threats of the state of the art? What are some of the incidents that you're seeing, breaches, without the name names, but what are some of the clever, smart, sophisticated, advanced attacks look like? Yeah, absolutely. So we just released some information about the Cisco implant, sinful knock that you had already mentioned. We find that that's pretty well advanced. Potentially a nation state, or at least a well-funded adversary, would create technology like that. The nice thing about working for Mandean and working for FireEye is that we are ground level, really. I mean, we are at ground zero on some of the biggest breaches that occur in the industry, and we see things that nobody else sees. Well, give us some, share some color on that, share. So the attacker TTPs are techniques, tactics, and procedures. They're always evolving, right? So we see new tools being integrated into attacks, in particular, WMI, PowerShell. We just announced Forbes, AdWare. I mean, it's ever-evolving. So we have to stay one step ahead of the attackers, but the advantage of also having that incident response knowledge is that we can apply that towards our proactive services, our red teaming, so we can really emulate the adversary because we see what they're doing firsthand. So take us through the red team, blue team. For the folks that aren't familiar with what that is, obviously, one's an offensive team that simulates the bad guys, kind of like movies you see, like sneakers, or these movies out there as geeks like to watch. It's kind of dating myself with one of my favorite movies. The blue team's more defend, right? What is the day in the life of those teams? What do they do? They come in and they set up and they kind of go in the special room. Well, I mean, it's kind of mystique behind it. So it's just like the movies. It's just like the movies. Everything you see in the movies, spot on, right? I mean, it's virtual reality and we've got all these screens and everything. Not really, you know, it's not really like a movie. You have your MacBook Pro, you may have some screenplay. Just like it. No, I mean, red teaming is a valuable service for companies because often they may not know what it's really like to face the adversary. And what we're doing is we're prepping them for that, right? We are showing them what it's like to be heavily targeted, to be specifically targeted and it really is a no holds bar sort of challenge for them. And I think after seeing one and learning from mistakes, they're more ready to face the real world. So you come in, simulate an attack, you do a post-bored them, they sit there, they scratch yours and wow, let's do that again. Yeah. It's kind of like, you know, football skills. Run the play again. Yeah, absolutely. I mean, keep on working on that. Yeah, it's far more than just a tabletop exercise, right? I mean, they're seeing the attacker TTPs. Like I mentioned before, we see them during our incident response. We roll those over into our proactive services, our red team, and it gives the customer a great chance to see what the attacker's going to do to them, but it doesn't carry the same risk of, hey, all of our stuff is exposed and we're now on the front page, right? Are they generally okay with the red teaming and they bring it on, are they more like scared to be fired? I mean, security is so growing right now, I wouldn't get the sense of there's a job security issue per se, but is there some psychology behind that? What are you seeing? Yeah, I mean, there's always a concern that, you know, the defenders will look bad, but I think there's a bigger concern that if it were real-world scenario, then that's a resume-generating experience, right? If you're on the front page, you're probably looking for a new job. But, I mean, it's far better to have us tell you that you have issues rather than the New York Times to tell you you have issues, right? Yeah, talk about Splunk now. Where does Splunk fit into all this? You got to Splunk the data, how are you guys involved in Splunk as a company, professional services, what's your involvement with these guys? Yeah, so I'm actually the FireEye Splunk app developer. I think Splunk is a great partnership with FireEye because they're not a competing technology, but they augment FireEye data. So we are basically the sensor, they're the consumer. We have an excellent partnership with Splunk because we do want our data to be available for all of Splunk users, and it enables event correlation, really. What about this concept we had, Christoph von earlier from SwissCon, that you've probably already been compromised, and really kind of looking at the world from the point of view, not that it's going to happen or you can defend it, you can defend to some degree, but you've probably been compromised in some way that you don't even know yet. How does that change the tactic? How does that change the way that you guys work? Yeah, that's a great question too, because I mean, you've read the reports that most organizations, 200 plus days, before they ever know that they're compromised. So me and Ian has listened to the industry, we've addressed that concern. We actually offer something called a compromise assessment where we come in and we do sweeps throughout the network and we look for those indicators of compromise that should tell you whether or not you are in fact compromised. And then if we do get a positive hit, then that starts the incident response process, the cleanup process, but at least we have something that addresses the concern or the fear, the doubt that our clients have of, am I compromised? And do you find most of the time with the new client the first time you do that assessment, that sure enough, not necessarily a big thing, but different degrees at, yeah, you got a lot of systems, you got a lot of ports to that system. Yeah, absolutely, I mean, most of the clients that we have are fairly large clients. I mean, if you have 100,000 systems or 200,000 systems, it's absolutely impossible to have a perfect network, right? You're always going to have some kind of issue, whether it's commodity malware or nation-state malware or some kind of advanced threat. So to a certain degree, I would say, I don't think anybody gets a clean bill of health. Yeah, and when you define malware as you just did just now between kind of commodity versus nation-state versus well-funded I think was the other kind of subcategory, is that based on knowledge that in fact that is the instigator of this attack or is it just kind of based on how you scale things, small, medium, large? I mean, how do you come to those conclusions or what is the standard there? Right, well, one thing that Mandy and Fire I do is we track the threat actors, right? I mean, we release a report on APT-1. I mean, that's the level of detail that we track these threat actors. So when it is one that we've been tracking, whether that's nation-state or well-funded adversary, we can categorize that based off of their TTPs, their techniques, tactics, and procedures. So we do have a very good idea of when we're looking at the attack, who to attribute it to. Tony, really appreciate you coming on theCUBE and sharing your insight. Love to get more data, send us some info for SiliconANGLE and we get some stuff on the blog, but I really appreciate you spending the time. My final question is I'd like for you to share to the audience watching live and then on demand. What's it like here? What's the vibe this year? Splunk.conference, what's your takeaway? What anecdotally, what's popping out at you? What's the vibe? Oh man, it's great. I mean, there's so much energy at .conf. Everybody comes in, they're very excited. It's, Splunk users are a unique, I guess they're a unique customer base because everybody's excited to learn, everybody's excited to share, and everybody's excited of what we can do when we put our minds together. And this is very much a sharing conference, so it's been a lot of fun. It's a sharing economy. We're living in the sharing economy. We got Uber, Airbnb, and we got theCUBE. theCUBE is one big data ingestion. Call it cubing, Splunking. Are we cubing? We're cubing. I like that. So we're like, thank you for sharing the data. As we ingest more and share it out back with you. We'll be back with more after this short break live here in Las Vegas at .conf 2015. We'll be right back.