 Live from Las Vegas, it's theCUBE. Covering Splunk.conf 19, brought to you by Splunk. Okay, welcome back everyone. It's theCUBE's live coverage in Las Vegas for Splunk.conf, user conference, 10 years. It's their anniversary. It's theCUBE's seventh year. I'm John Furrier, your host with a great guest here. Joe Partlow, CTO of RelyaQuest, recently on the heels of Vying Threat Care and Marcus Carey and team, congratulations. Thanks for coming on. Yeah, yeah, it's been a fun month. So, obviously, security, we love it, but let's take a minute to talk about what you guys do, talk about what your company does and then I got some questions for you. Yeah, so, you know, obviously with the increasing cyber threats, you know, security companies have a lot, or customers have a lot of tools. It's easy to get overwhelmed. Really causes a lot of confusion. So really what we're trying to do is we have a platform called Grey Matter that is really kind of how we deliver security model management, which what that means is that's bringing together people, process, technology in a way that's easy to kind of make sense of all the noise. You know, there's a lot of features in there that would help monitor the health, the incident response, the hunt, any kind of features that you would need from a security team. So you guys are a managed service, you said? Or? Yeah, yeah, a little different than a traditional MSSP. We, you know, work very close with the customers. We work in their environment. We're working side by side with them in their tools and we're really maturing and getting better visibility in their environment. Just want to get that out. MSSP, you heard it, right? That's what you guys are. MSSP. On steroids, a little bit different. All right, well, you guys got some things going on. You got a partnership with Splunk for the dot com sock. Oh yeah. Talk about that, what's that about here and what's it showing? Yeah, that's been a great experience. We work very close with the Splunk team. We monitor Splunk corporate from work and security team monitoring them. So when dot com came around, it was kind of a natural progression of, hey, you know, Joel and team on their side said, hey, how do we kind of build up the team and do a little bit extra? And I'll see anywhere that we could help secure dot com. It was really cool. I give credit to the team, both teams, standing up a new Splunk install, getting everything stood up really in the last few weeks, making sure that everybody at the pavilion and the conference in general is protected and we're watching for any kind of threat. So it's been great working with Splunk team. So is that normal procedure that the bad guys want to target the security conferences just to kind of make a statement? Is it more of graffiti kind of mentality? It's a hack kind of fun? Or is it just like malicious endpoints that they want to get out of here? Oh yeah. There's a little bit of a, you know, let's do it for fun and mess with the conference a little bit so we want to make sure that that doesn't happen. So is my endpoint protected here? My endpoints, my phone and my laptop? Not the user specific, but any of the conference provided demo stations. Okay, so infrastructure for the equipment, not me personally. Okay. Yeah, you were not monitoring your personal machine. I don't care, okay? I give up my privacy years ago. This is an interesting thing. Talk about working with Splunk because, you know, I hear all the time and again, we're looking at this from an industry wide perspective. I hear, we got a sock, they got a sock. So these socks are popping up, you know, security operations centers. What is the state of the art for that now? Is it best practice to have a mega monster sock or is it distributed? Is it decentralized? What's the current thinking around how to deploy socks, surgery operations center or centers? Yeah, we certainly go with a decentralized model. We need to follow the sun. So we've got operation centers here in Vegas, Tampa and Dublin, really making sure that we've got the full coverage. But it is working very close with the Splunk socks. So they've got a phenomenal team and we work with them side by side. Obviously we are providing a lot of the tier one, tier two heavy lift and then we escalate to Splunk team. They're obviously going to know Splunk corporate better than we will. So we work very close hand in hand. So you guys acquired Threat Care and Marcus carries now in the office of CTO which you're running. Yes. How is that going to shape Relya Quest and your business? Yeah, the acquisition has been extremely, you know, exciting for us. You know, after meeting Marcus, I've known of Marcus, he's a very positive influence in the community. But having worked with him, the vision for Threat Care and the vision for Relya Quest really closely aligned. So where we want to take the future of security testing, testing controls, making sure upstream controls are working, where Threat Care wanted to go for that was very much with what we aligned with. So it made sense to partner up. So very excited about that. And I think we'll roll that into our Grey Matter platform as another capability. Grey Matter, love the name by the way. I mean, first of all, the security companies have the best names. Mission Control, Grey Matter, you know, Red Canary, Canary in the coal mine, all good stuff, all fun. But you know, you guys work hard. So I know the product's got to be good. I got to ask you around the product vision around the customers and how they're looking at security. Because you know, it's all fun games until someone's hacking their business trash or there's ransomware going on. Data protection has become a big part of it. What are customers telling you right now in terms of their fears and aspirations? What do they need? What's on the agenda, I guess, for customers right now? Yeah, I think kind of the two biggest fears and then the problems that we're trying to address is one, just a lack of visibility. A lot of customers have so many things on their network. A lot of mergers in that position, so unfortunately there's a lot of times the security team is the last one to know when something pops up. So anything that we can do to increase visibility and that a lot of times we work very closely with Splunk or with Sim that they have to make sure that happens. And then the other thing I think is, you know, most people want to get more proactive. You know, Sim and logging by nature is very reactive, so want to try to get out in front of those threats a little bit more. So anything that we can do to try to get more proactive is certainly going to be on their top of mind. Well, the machine learning tool kit's getting a lot of buzz here at the show. That's a really big deal. I think the other thing that I'm seeing and I want to get your reaction to is this concept of diverse data. That's my word, not Splunk's, but the idea of bringing in more data sets actually helps machine learning. That's pretty much known by data geeks, but making data addressable. Because data seems to be the one thing that is doing a lot of the automation that takes that heavy lift and also provides heavy lifting capabilities to set data up, to look at stuff. So data is pretty critical. Data addressability, data diversity, you got to have the data and it's got to be addressable in real time and through tools like fabric searching and other things. What's your reaction to that and thoughts around that? No, I agree 100%. You know, obviously most enterprise customers have a diverse set of data, so trying to search across those data sets, normalize that data, it's a huge task. But to get the visibility that we need, we really need to be able to search these multiple data sets and bring those in to make sense. Whether you're doing threat hunting or responding to alerts or you need it from a compliance standpoint, being able to deal with those diverse data sets is a key issue. You know, the other thing I want to get your thoughts on is something that we've been kind of commenting. I've kind of set a particular position on this from an opinion standpoint, but it's kind of obvious, but it's not necessarily true. But my point is, with the data volume going up so massive, that puts the tips, the scales and the advantage for the adversaries. Ransomware is a great example of it. Little ransomware now is towns and cities. These ransomware attacks is just one little vector. But with the data volume, data is the surface area, not just devices. So how is the data piece of it and the adversarial advantage? Do you think that that makes them stronger more at surface area? Yeah, definitely. And that's something that, what we're leaning on machine learning for a lot is it really kind of makes sense of that data. A lot of times you want to baseline that environment and just find out what's normal in the environment, what's not normal. And once you can find that out, then we can start saying, all right, is this malicious or not? Some things that, maybe PowerShell or something in one environment is a huge red flag that, hey, we've been compromised. In another one, hey, that's just a good administrator automating his job. So making sense of that. And then also just a sheer volume of data that we see customers dealing with. Very easy to hide in if you're doing an attack from an adversary standpoint. So being able to see across that and make sure that you can at scale sift through that data and find the actionable event. You guys are just talking with a friend that I've known from the cloud world, cloud native world. We're talking about DevOps versus security operations. And those worlds are coming together. There are more operational things than developer things, but yet CISOs that we talk to are fully investing in developer teams. So it's not so much DevOps dogma, if you will, but we got to do DevOps. You know, CICD pipeline, okay, get that. But developers play a critical role in the free security architecture. But at the end of the day, it's still operations. So this is the new DevOps or SecOps, whatever it's called these days. What's your, how do customers solve this problem? Because it is operational, whether it's industrial IoT or IoT or cloud native microservices to on-premise security practices with endpoints. I mean, the thing we see that kind of gets those teams the most success is making sure they're working with those teams. So having security siloed off by the self, I think we've kind of proven in the past that doesn't work, right? So get them involved with their development teams, get them involved with their NetOps or SecOps teams, making sure they're working together so that security teams can be an enabler. They don't want to be the team that says no to everything. And at the end of the day, most companies are not in the business of security, they're in the business of making widgets or selling widgets or whatever it is. So making sure that the security team is working. Building apps too, right? Just doing it. That's an app issue. Exactly, making sure that they're kind of involved in that life cycle so that, not that they can define what that needs to be, but at least be aware of, hey, this is something we need to watch out for and get visibility into and keep the process moving. All right, let's talk about Splunk. Let's talk about their role in the enterprise. Obviously, Enterprise Suite 6.0 is shipping, general availability. How are you guys deploying and optimizing Splunk for customers? What are some of the killer use cases that's there and new ones emerging? Yeah, we provide really kind of three core areas for Splunk customers. Your one is obviously making sure that the platform is healthy. So a lot of times we'll go into a customer that, maybe their Splunk team is turned over or they rapidly expanded and quickly kind of overwhelming the system that's there. So making sure that the architecture is correct, maintained, patched, upgraded and they're really taking advantage of the power of Splunk from an engineering standpoint. Also another key area is building content. So as we were discussing earlier, making sure that we've got the visibility and all that data coming in, we've got to make sure that, okay, are we parsing that data correctly? Are we creating the appropriate alerts and dashboards and reports and we can see what's going on. And then the last piece is actually taking, obviously taking action on those. So from an incident response standpoint, watching those alerts and watching that content fire and making sure that we're escalating and working with the customer security team. It'd love to get your thoughts final question on the, first of all, great insight. Don't totally love that. As customers who are, first of all, Splunk, by our data is number one third party app for blogs and app workloads and in cloud as well. As more clients that you have rely more on cloud, AWS for instance. They have security hub. They're deploying some, they're starting to lean on cloud providers, hyperscale cloud providers for security. That doesn't diminish the role Splunk plays. So there's a lot of people that are debating, well, the cloud is going to eat Splunk's lunch. And so, but I don't think that's the case. I want to get your thoughts of it because they're symbionic. So what's your thoughts on the relationship to the cloud providers to the Splunk customer who's also going to potentially move to the cloud and have a hybrid cloud environment? Yeah, and I would agree that they're going to exist side by side for a long time. Most environments that we see are hybrid environments. While most organizations do have a cloud-first initiative, there's still a lot of on-prem stuff. So Splunk is still going to be a key cornerstone of just getting that data. Where I do see is maybe in those cloud platforms, kind of stretching the reach of Splunk of, hey, let's filter and parse this stuff, maybe closer to the source and make sure that we're getting the actionable things into our Splunk ES dashboards and things like that. So that we can really make sure that we're getting the good stuff. And maybe the stuff that's non-actionable, we'll leave up in our AWS environment. And that's a lot of the technology that Splunk's coming out where it's able to search those other environments is going to be really key, I think, for that. Where you don't have to kind of use up all your licensing to bring that non-actionable data in, but you're still able to search across. But that doesn't sound like a core Splunk service. That's more of an operational choice. Less of a core thing. You mentioned that you think Splunk's going to sit side by side for the clouds. What gives you that insight? What's telling you that that's going to happen? What's the... Yeah, you still need the core functionality of Splunk. Splunk provides, it's a great way to bring data in. It parses it extremely well. Having those correlation engines and searches, that's very nice to have that prepackage. Doing that from scratch, you could certainly, there's other tools that can bring data in, but that's a heavy lift to try to recreate the wheel, so to speak. We're here with Joe Pardlow, CTO of ReliaQuest, partner with Splunk, setting up the .conf sock for the exhibit and all the infrastructure. Final question. What's the coolest thing going on at .conf this year? What should customers or geeks look at that's cool and relevant that you think should be top line, top couple things? Yeah, one of the things I liked the most out of the keynote was the whole Porsche use case with the AR augmentation. I thought it was really, really cool. And then obviously the new features that they're coming out with with DFS and some of another pricing model, so definitely exciting time to be a partner of Splunk. All right, Joe, thanks for coming. I'm John Furrier, here with theCUBE Live in Las Vegas, day two of three days of coverage at .conf. Their 10th of the year anniversary, our seventh of the year covering, that's looking at AngularCube. I'm John Furrier, thanks for watching. We'll be right back.