 Live from Las Vegas, it's theCUBE! Covering Splunk.conf 19, brought to you by Splunk. Okay, welcome back everyone. It's theCUBE's live coverage here in Las Vegas for Splunk.conf. I'm John Furrier, host of theCUBE. It's the 10th anniversary of Splunk.conf, user conference, our seventh year covering it. It's been quite a ride. What a wave Splunk keeps getting stronger and better, adding more features. And it's really become a powerhouse from a third-party security standpoint. We've got a CISO on theCUBE today. Chief Information Security, John Froschauer, Deputy Chief Information Security, New York Presbyterian, the award winner from the Data to Everywhere award winner. Welcome to theCUBE. Thank you, thank you. So first of all, what's the award that you want? I missed the key as I was working on a story this morning. Sure, sure. What's the award? Yeah, the Data to Everything award is really celebrating using Splunk kind of outside its traditional use case. You know, I'm a security professional. We use Splunk, we're a Splunk enterprise security customer. That's kind of our daily duty. That's our primary use case for Splunk. But New York Presbyterian developed the system to track narcotic diversion. We call it our medication analytics platform. And we're using Splunk to track opioid diversion slash narcotic diversion, same term, across our enterprise. So, you know, looking for improper prescription usage over prescription, under prescription, prescribing for deceased patients, prescribing for patients that you've never seen before. Superman problems, like taking one pill out of the drawer every time for the last 30 times to build up a stash. You know, not resupplying a cabinet when you should have 30 pills and you only see 15, what happened there? Everything's data, it's data, everything. And so, we use this data to try to solve this problem. So, this is obviously drug, that's a great use if people will find the drugs, they're going to work hard for it. But that's just that, that's just an insider threat kind of concept. Absolutely. As a CISO, you know, security, I see paramount, what's changed the most? Cause look at, I mean, just look at Splunk over the past seven years. Log files, now you've got cloud native tracing on the KPIs. You now have massive volumes of data coming in. You got core business operations with IOT, things all instrumental. Sure, sure. As a security officer, that's a pretty big surface area. Yeah. How do you look at that? What's your philosophy on that? You know, a lot of what we do, and my boss, the CISO, Jennings Oskie, a lot of what we look at is endpoint protection and really driving down to that smaller element of what we can police and control. I mean, 10, 15 years ago, information security was all about perimeter control. So you've got firewalls, defense and depth models. I have a firewall, I have a proxy, I have an endpoint solution, I have an AV, I have some type of, you know, data redaction capability, data masking, data labeling capability. And I think we've seen, I don't think security's changed. I hear a lot of people say like, oh, well, information security is so much different nowadays. No, you know, I'm a military guy. I don't think anything's changed. I think the target changed. And I think the target moved from the perimeter to the endpoint. And so we're very focused on user behavior. We're very focused on endpoint agents and what people are doing on their individual machines that could cause the risk. We're in titling and providing privilege to end users today. The 20 years ago, we would have never granted. You know, there's a few people with the keys to the kingdom and inside the castle keep. Nowadays, everybody's got an admin account and everybody's got some level of privilege. And it's the endpoint, it's the individual that we're most focused on making sure that they're safe and they can operate effectively in the hospitals. What are some of the tactical things that have changed? Obviously the endpoint obviously shifted. So some tactics have to change. Probably again, operationally, you still get to solve the same problem. Attacks, insider threats, et cetera. What are the tactics, what are the new tactics have emerged that are critical to you guys? Yeah, that's a tough question. I mean, has really anything changed? Is the game really the game? Is the con really the same con? I mean, look at Titans of security and think about guys like Kevin Mitnick that pioneered social engineering and this sort of stuff. And really, it's really just convincing a human to do something that they shouldn't do, right? I mean, you can read all these books about phone freaking and going in and convincing the administrative assistant that you're just late for the meeting and you need to get in through that special door to get into that special room and then go, then you're in the telco closet and you've got access. Nowadays, you don't have to walk in to that same administrative assistant desk and convince them that you're just late for the meeting. You can send a phishing email. So the tactics I think have changed to be more personal and more direct. The phishing emails, the spear phishing emails, I mean, we're a large healthcare institution. We get hit with those types of targeted attacks every day. They come via mobile device. They come via the phishing emails. Look at the Google Play Store. Just, I think in the last month, has had two apps that have had some type of backdoor or malicious content in them that got through the app store and got onto people's phones. We had to pull that off people's phones, which wasn't pretty. But I think it's the same game. It's the same kind of convince humans to do stuff that they're not supposed to do. But the delivery mechanism, the tactical delivery has changed. How has Splunk get involved? Because I've always been a big fan of Splunk. People know me know that. But it's been a fanboy. The way they hand the large amounts of data log files, they crush that use case. And then expand it out into other areas. People love to use Splunk to bring in their data and then to get bring it into, I hate to use the word data lake, but I mean, just getting control of the data. How is data used now in your world? Because you've got a lot of things going on. You've got healthcare, IoT, people. I mean, lives are on the line. Lives are on the line, yeah. And there's things you've got to be aware of. Data's key, what's your approach? Well, first I'm going to shamelessly plug a quote I heard from Haiyan Song this week, who leaves the security practice. And she said, the data is the oxygen of AI. And I love that quote. I think that's just a fantastic line. Data is the oxygen of AI. I wish I'd come up with myself, but now I owe her a royalty fee. I think you could probably extend that and say, data is the lifeline of Splunk. So if you think about a use case like our medication analytics platform, we're bringing in data sources from our time clock system, our multi-factor authentication system, our remote access desktop system, logs from our electronic medical record system, logs from the cabinets that hold the narcotics that every time you open the door, a log event is created. So we're bringing in kind of everything that you would need to see, aside from doing something with actual video cameras and tracking people in some augmented reality, matrix, whatever it is, we've got all the data sources to really pin down all the data that we need to pin down. Okay, Nurse Sally, you open that cabinet on that day on your shift after you authenticated and pulled out this much oxy and distributed to this patient. And by, I mean, we have a full picture so full supply chain of everything. We can see everything that happens and with every new data source that's out there, the beauty of Splunk is you just add it to Splunk. I mean, Splunk handles structured and unstructured data. Splunk handles, you know, syslog feeds and JSON feeds and there's just, it doesn't matter. You can just add that stream to Splunk and rich those events that we're reporting today. We have another solution, which we call the privacy platform, really built for our risk, excuse me, our privacy team. And in that scenario, kind of the same data sets. We're looking at time cards, we're looking at authentication, we're looking at access and you visited this website via this proxy on this day. But the information from the EMR is very critical because we're watching for people that open patient records when they're not supposed to. We're the number five hospital in the country, we're the number one hospital in the state of New York. We have a large cavalcade of very important people that are patients and people want to see those records. And so the privacy platform is designed to get audit trails for looking at all that stuff and say, hey, Nurse Sally, we just saw that you looked at patient Billy's record. That's not good. Let's investigate. We have about 30 use cases for- So it's not in context of what she's doing. That's where the data comes in or? That's where the data comes in. I mean, it's an event, you know, Nurse Sally opens up the EMR and looks at patient Billy's record. Maybe patient Billy wasn't on the chart or patient Billy is a VIP or patient Billy is, for whatever reason, not supposed to be on that docket for that nurse, on that schedule for that nurse, we're going to get an alarm. The privacy team's going to, oh, well, are they supposed to look at that record? I'm just giving you kind of like two or three use cases, but there's about 30. Yeah, I mean, I'm sure. I mean, celebrities, whether it's Donald Trump, who probably went there at some point, everyone wants to get his taxes and records to just general patient care. Just general patient care. Yeah, exactly. And the privacy of our patients is paramount. I mean, especially in this digital age, where like we talked about earlier, everyone's going after making a human do something silly, right? We want to ensure that our humans, our nurses, our best in class patient care professionals are not doing something with your record that I'm supposed to do. Well, John, I want to get your thoughts on a story I did a couple of weeks ago called the Industrial IoT Apocalypse Now or Later. And the provocative story was simply trying to raise awareness that malware and spider fishing, this is tactics for that endpoint is critical, obviously, that you pointed that out, everyone kind of knows that. But until someone dies, until it's actually a catastrophe where you can take over physical equipment, whether it's a self-driving bus or go into a hospital and not just do ransomware, actually use the industrial equipment to kill people, to cause a lot of harm, that's an industrial kind of the hacking kind of mindset. There's a lot of conversations going on, not enough mainstream conversations, but some of the top people are talking about, this is kind of a concern. What's your view on this? Is it something that needs to be talked about more of? Is it just BS? Should it be? Is there any signal there that's worth talking about around protecting the physical things that are attached to the network? Absolutely, I mean, this is a huge, huge area of interest for us, the biomedical device security at New York, West Feterian, we have anywhere from about 80 to 90,000 endpoints across the enterprise. Every ICU room in our organization has about seven to 10 connected devices in the ICU room, from infusion pumps to intubation machines to heart rate monitors and Diox, to SPO2 monitors, all this stuff. All IP and connected? All connected, right, and the topology or the medium in which they're connected changes, some are ZigBee and Bluetooth and Hardline and Wi-Fi, and we've got all these different protocols that they use to connect. We buy biomedical devices at volume, right, and biomedical devices have a long path towards FDA certification, so a lot of times they're designed years before they're fielded, and when they're fielded they come out and the device manufacturer says, all right, we've got this new widget, it's going to save lives, it's a great widget, it uses this protocol called TLS1.0, and as a security professional, I'm sitting there going, really? Like, I'm not buying that, but that's kind of the only game, that's the only widget that I can buy, because that's the only widget that does that particular function, and even, you know, it was made so, so this is a huge problem for us, is endpoint device security, ensuring there's no vulnerabilities, ensuring we're not increasing our risk profile by adding these devices to our network and endangering our patients, so it's a huge area of- And also compatible to what you guys are thinking, like I can imagine, like, why would you want a multi-threaded processor on a light bulb? I mean, scope it down, turn it on, turn it off. Scope it down for its intended purpose, yeah, I mean, FDA certification is all about, you know, the device performs its intended function, but so we've, you know, we've really leaned forward, our CISO has really leaned forward with initiatives like the S-bomb, he's working closely with the FDA to develop kind of a set of baseline standards, ports and protocols, software and services, he uses these libraries, it talks to these servers in this country, and we have this portfolio that a security professional can say, okay, I accept that risk, that's okay, I'll put that on my network, you know, moving on. But this is absolutely a huge area of concern for us, and as we get more connected, we are very, very leaning forward on telehealth and delivering a great patient experience from a mobile device, a phone, a tablet. That type of delivery mechanism spawns all kinds of privacy concerns and interoperability concerns with protocols, what's protected, that's good, I'll have to follow up with you on that, something we can deal with all down on, but while we're here at Splunk, I want to get back to data. Thank you, by the way, for sharing that insight, and some of my things really important on industrial IoT protection. Diverse data really feeds a lot of great machine learning, you're only as good as your next blind spot, right, and when you're doing pattern recognition, using data, so data is data, right, telegraph to other data, mixing data actually could be a good thing. Most professionals would agree to that. How do you look at diverse data because in healthcare there's two schools of thought, there's the old HIPAA, we don't share anything, we've got client privacy, you mentioned that, to full sharing to get the maximum out of the AI or machine learning. How are you guys looking at the data, diverse data, the sharing, because in security, sharing's good too, right? What's your thoughts on sharing data? I mean sharing data across our institutions which we have great relationships with in New York, is very fluid at New York Presbyterian. I mean we're a large healthcare conglomerate with a lot of disparate hospitals that came as a result of partnership and acquisition. They don't all use the same electronic health record system, I think right now we have seven in play and we're converging down to one, but that's a lot of data sharing that we have to focus on between seven different EHRs. A patient can move from one institution to the next for a specialty procedure, and you got to make sure that their data goes with them. So I think we're pretty decent at sharing the data when it needs to be shared. As the other part of your question about artificial intelligence, really I go back to like medication analytics. A large part of the medication analytics platform that we designed does a lot of anomaly detection, stochastic anomaly detection on diversion. So if we see that, let's say you're a physician and you do knee surgeries, I'm just making this up, I am not a clinician, so we're going to hear a lot of stupidity here, but bear with me. So you do knee surgeries, and you do knee surgeries once a day, every day, Monday through Friday, right? And after that knee surgery, which you do every day in cyclical form, you prescribe 2,000 milligrams of Vicodin. That's your standard. And doctors, you know they're humans, humans are built on patterns, that's your pattern, 2,000 milligrams, that's work for you, that's what you prescribe. But all of a sudden on Saturday, a day that you've never done a knee surgery in your life for the last 20 years, you all of a sudden perform a very invasive knee surgery procedure that apparently had a lot of complications because the duration of the procedure was way outside the bounds of all the other procedures. And if you're kind of a math geek right now, you're probably thinking, I see where he's going with this, because you just become an anomaly. And then maybe you prescribe 10,000 milligrams of Vicodin on that day. A procedure outside of your schedule with a prescription history that we've never seen before. That's the beauty of funneling this data into Splunk's ML toolkit. And then visualizing that, I love the 3D visualization, right? Because anybody can see like, okay, all this stuff, the school of fish here is safe, but these I've got to focus on, right? And so we put that into the ML toolkit and then we can see, okay, Dr. X, we have 10,000, a little over 10,000 physicians across the near-perspiratory. Dr. X right over here, that does not look like a normal prescriptive scenario as the rest of their baseline. And we can tweak this and we can change precision, we can change accuracy, we can move all this stuff around and say, well, let's just look on a medical record number. Let's just focus on procedure type. Let's focus on campus location. What do they prescribe from a different campus? That's anomalous. And so that is huge for us using the ML toolkit to look at those anomalies and then drive the privacy team, the risk teams, the pharmacy analytics teams to say, oh, I need to investigate that. So that's a lot of heavy lifting for you. It lets you guys look at data that you need to look at. Absolutely. It gives you a dashboard. Final question, Splunk in general, are you happy with these guys? Obviously, they do a big part of your data. What should people know about Splunk 2019 this year and are you happy with them? Oh, I mean, Splunk has been a great partner to New York Presbyterian. We've done so much incredible development work with them and really what I like to talk about is Splunk for healthcare. We've created, we've solved some really important problems in our space in this vertical, but we're looking, we're leaning really far forward into things like risk-based analysis, periop services. We've got an antimicrobial stewardship program that we're looking at, at developing into Splunk so we can watch that. That's a huge, I wouldn't say as big of a crisis as the opioid epidemic, but an equally important crisis to medical professionals across this country. And these are all solvable problems. This is just data, right? These are just events that happen in different systems. If we can get that into Splunk, we can cease the archaic practice of looking at spreadsheets and look up tables and people spending days to find one thing to investigate. Well, Splunk's been a great partner to us. The tool has been fantastic in helping us in our journey to provide best in class patient care. Well, congratulations, John Froschauer, Deputy Chief Information Security Officer in New York Presbyterian. Thanks for that insight, great insight into the healthcare and your challenge and your opportunity. Congratulations for the award winner. Data to everything, award winner. I got to get that slogan, get used to that. It's to everything. Get things done. He's a doer. I'm John Furrier here in theCUBE, doing the CUBE action all day for three days. We're on day two. We'll be back with more coverage after this short break.