 Live from Washington D.C., it's theCUBE. Covering .conf 2017, brought to you by Splunk. Welcome back to Washington D.C., the CUBE continuing our coverage here of .conf 2017. It's the Splunk get together here in Washington D.C. with the Washington Convention Center where they have a record crowd, 7,000 plus. Everybody having a Splunking good time, you might say. Dave Vellante, John Wall, Sam. We're joined by a couple of gentlemen who work with TransAlta. Kent Ferries on the far left, who is a senior analyst and security, working in security intelligence and analytics as well. At TransAlta, Kent, good morning to you, sir. Are you guys good afternoon? We've crossed that threshold here, haven't we? And Akina Woffor, who is a senior information security specialist at TransAlta as well. So good morning to you. Thank you, good morning. I can't, maybe if you can just tee us up a little bit about TransAlta. Sure. Tell us a little bit about what, core function, what you all are up to, and then how the two of you are helping that mission along its way. Sure. TransAlta is a well-respected power generator and wholesale marketer of electricity that's been in business for over 100 years. We're based out of Calgary, Canada, and we have operations in the United States as well as Australia. Okay. Myself and Akina are part of the security team based out of Calgary, and then we also have, we've off-shored or outsourced some of the security operations center function. Which I imagine is vast, right? You've got, you've got, you know, I mean, I mean your primary mission, obviously security, I would assume with the grid, distribution of power. You are correct. That's your number one focus, right? So, talk about the complexities of that in general for our audience. It may not be familiar with your particular business, but you obviously can imagine the nuances and the sensitivities that you have to deal with. Sir, do you want to? Akina, why don't you take that? I think the fact that we are in the parallel generation business makes us a critical infrastructure, and that means working and having ties to the grid makes it very critical with protect our critical information systems from the threat landscape currently in security. So, it's a vast, it's a vast responsibility for the team, and we have regulatory requirements we need to abide by, things around our next sip and socks compliance requirements. So, that's really a very daunting task for us to meet with from a security standpoint. Right, so it's critical infrastructure that it's distributed in its nature, so it's high value for your target, and you've got to wake up every day knowing that. Yeah, sure, yes. Okay, so maybe take us through sort of your Splunk journey and what role it played, kind of the before and after, and how has it affected your business? Sure. I'll take that one. So, in the mid 2000s, we did security and everything, but it wasn't really a key focus, a senior management or anything. There wasn't a lot of real breaches. Most of the stuff that was going on was a nuisance, right, out in the marketplace. Got a hacktivist. Yeah, and different things. So, we dealt with it, a lot of it still wasn't really coming through the internet, it was still coming through other means, right? So, it wasn't at the forefront. Even though we would try, say in 2006, to make sure that security was at the forefront, the management wasn't quite ready at that time. It wasn't big breaches or anything. Around 2009 is our first introduction to what we called a SIM, the security information event management solution, basically log management. We implemented that in 2009, and then we had that running for about five years, until about 2014, but we started to lose some confidence in that tool, because it just didn't give us the information that we wanted or needed to properly detect, respond to today's threats. So, we stumbled upon Splunk. It took a little while to actually buy it. One of the system engineers tried to sell it to us, and I said, no, I'll come back later. No, no, I don't even know what it is, right? But then finally, I actually spun it up, proof of concept, and I go, this thing is amazing. Everything I ever thought of doing, I can actually do with this tool. This is, wow. So, took the POC, sold it to management. Come January 2015, we implemented it. We hired a company out of Ontario to help stand it up and bring all the data in. It was amazing. And we had everything we ever wanted, and blew away our previous security information event management system. So, the SIM fell short, you said because it didn't really give you the information, and was it also a case of, it was just too much information, that you couldn't prioritize? It was difficult to use. So, we actually went on training when we implemented the original one in 2009. So, two weeks of training down in the US, come back, architect, still had a consultant to help us stand it all up, but we couldn't build the use cases that we really needed. We were happy at the time, just to get log data, but really, there's no data enrichment or good correlation capabilities, or it was super, super difficult to implement. You couldn't search something like Splunk Answers, which you can today. I can Google anything, and the answer's out there around Splunk, which is just the community's phenomenal. So, the time you didn't know what you didn't know, and then once you saw Splunk, it sort of changed your vision of what was possible, but, so you said it was amazing, but why is it amazing? What is it about Splunk that the SEM tools don't do? I think to Ken's point, part of the challenge we had with the previous SEM tool was the fact that it required a whole lot of work to even get a single simple use case in place for security. Whereas when we had Splunk in place, one is embodying data, logs from various sources was really, really dead simple. The initial setup was within a day or half a day to basically replicate what we had from our previous SEM, which was really fast. And then the other thing is Splunk provided a whole lot of flexibility, where you really didn't need to go for some two weeks training to actually get going initially. And through the period we've had Splunk, we've seen that there's been a lot of things we've been able to achieve that we couldn't accomplish when we had our previous SEM. Like for example, what's it letting you do now that day to day that you couldn't do before? So if you buy a SEM, typically it's in a vertical, right? It's serving one purpose. So when you implement that, it's usually the security team that gets to use it, right? And you got to bring in all this log data. Your other teams say in operations or whatever, they want their log data too, but they're in a totally different system. With Splunk, it's a platform for us. So we bring all the data in. It's consumed by IT security. It's consumed by DevOps and operations. So the same amount data that you bring in, say from an endpoint, we'll use it for detection, forensic type capabilities, but the desktop team can use it as well to see is there application problems, desktop problems, do I have drivers or something on a desktop that needs to be updated? We can be more proactive and help out the user. So for us, it's just, it's like a fabric, a foundation. So once we've got that laid, yep. So all these use cases that you're laying out, previously you would have to essentially customize for each use case, is that right? You couldn't even. And previously we couldn't even do some of them because of, and then the other thing is we will most likely need to engage a third party contractor to assist us with that. Somebody who is a specialist in that field. Whereas with Splunk, some of the key things that has helped us with Splunk is maybe in the process of responding to a security event, we could think up ideas of, we need this information, how do we get it? And on the fly, we can easily build up a use case within minutes to get the information we need from Splunk. Without needing to consult anyone, without needing to read up manuals. And for instances where we really need information to help us with building up the use cases, going to, like Kent mentioned earlier, and going to Splunk answers, you will most likely get, so there's a broader community with Splunk that really helps with giving you the information you need to help you on your Splunk journey. Okay, but so it's more intuitive, I'm hearing, and it's got the data that you need. Exactly. And so, but even if you had an equivalent of Splunk answers for your previous SIM tool, you're saying you wouldn't have been able to, because it's not flexible enough to architect what you needed. Exactly. Okay. Yeah, I'd like to just put a comment in there. So I've been in IT for a long time, and I've always wanted to say build my own database to bring stuff in and do different things, so I'm pretty good at scripting. But I don't want to be designing a full application or whatever. When I saw Splunk and how easy it was to onboard data, I go, wow, this is amazing. So when I brought the consultant in and we stood up our original infrastructure, not only did we stand up ES within two weeks, Enterprise Security, we also onboarded all my custom stuff, like PowerShell scripts, everything else. So we brought in active directory data into Splunk and made it a PVR for us. So we can go back in time and look at anyone, who their manager was, anything that's happened to that account, at that exact time. And we can correlate that with IP information, everything else. As well, all of our floors are mapped out. We know where you are in any given building or facility. So we were able to do that at a point in time, because it's a PVR. We don't lose that information. And that's data enrichment, and we couldn't do that in the old system. Yeah, a time machine for your machine data. It is, absolutely. Okay, cool. Now, back to your business a little bit. So there's a physical security aspect of what you guys have to worry about as well. And I'm wondering if you could talk about that and how just the sort of attitude you touched on this before, Kent, but how the attitudes towards security have changed and evolved over the last decade. Obviously, greater awareness. Has that trickled into the lines of business, or is it still mostly an IT and a security pro problem? I'll let you kind of answer this one. So really, for us, it's been a journey for the last little while around security. And a couple of things we've had over the past few years is spreading the awareness for around security across the business. So, and that's really gained traction where it's no longer just the IT security folks talking to the business about what they need to do for security, but also the business getting back to IT security and once they want to implement certain solutions, trying to figure out, okay, what do we do for security? Can you help assist us with something around risk assessments? And really, over time, that has really helped spread that awareness. And also we do a whole lot of things around trying to build our security program through performance assessments that will be useful to identify gaps and being able to communicate with those stats to senior management around getting the necessary buying to proceed with whatever initiatives we want to go run along with from a security standpoint. You want to add to that? I think that's good. Yeah, I mean, I'm sensing that prior to Splunk, it was an uphill battle to get management to invest because they probably said, we're going to throw money at it and what's the result that we're going to get? As you can present metrics to management, it's easier to justify the investments because they're going to be able to see the outcomes. Is that fair? Yes, definitely. I think prior to Splunk, really, we had certain sets of metrics, but what Splunk has really helped us do is really consolidate all the log sources we have, get the right information and be able to actually provide a holistic view of our security program to senior management and show them across the different business units where we can get value for investment thrown into security. And have you evaluated alternatives? I know those competitors have bumped up in the past couple of years. Have you evaluated those or did you at the time? Jonas? Yeah, so in 2009, we looked at a few different vendors and we picked a market leader at the time. There's a couple that we liked more than the market leader but they just didn't scale to our size. Back in those days, certain vendors would call it events per second or whatever and we did some analysis and it just can't scale. That one back in 2009 is now a market leader, right? It's pretty good. It looks really interesting, everything. As well, there's about two or three players out there that I think look great from a SIM perspective. But if you think of us, where we are at, a SIM is a component, but we actually have a platform. And managers bought into the platform, not only a SIM. They didn't even know what a SIM really was before, say 2013. And now they just know that we can provide information when they ask for it. If we don't know, we can get the answer within minutes or maybe hours sometimes, depending on the complexity of the query. But we have all the information. We have our PVR time machine, as you mentioned. It's all sitting there. We brought in most of our data. We got a couple of little pieces we're still working on. There's different cloud information we're bringing or other data enrichment. We can tell, for example, an ISP anywhere in the world. We can tell our user visited that ISP or that attacker came from that ISP. Let's lock that whole ISP out, for example. We have a lot of interesting capabilities where we don't know if we can do that in those other tools. So what's your headache of the future? I mean, it sounds like that Splunk has done a lot to get you up to speed and get you to a very high comfort level now. Looking down the road here, what's the next? Well, quickly start with it. And I think I kind of want to speak to this as well. One of the things that we need to do is we're getting better at detecting and responding. We've really focused a lot on prevention to make sure that we can prevent what we can, but it's impossible to basically prevent everything. Everybody knows that. You see it in the news. So we're trying to get better at detection and response. One of the shortcomings that we notice is we can't always respond as humans fast enough. So we're trying to automate that, get richer information which Splunk allows us to do. So we call them high fidelity alerts or high confidence alerts. So if we see that, that should never happen in our environment. We'll shut that workstation down, disable that account, or cut off that subnet or something like that. So it'll all be automated. And then us as a team, we'll come back after the fact and look at it and go, oh, yeah, that was good. Or oops, we made a mistake. Sorry about that. And we'll bring the machine back online. Yeah, apologize after. After me. Because they move so quickly if they get, or at least what we're seeing, these adversaries move fast. How about you want to add to that? I think really the key, the way we look at our security program is just being on a journey. Because the threat landscape changes like by minutes or days really. And there's never that point where we say, we are done. We are fully okay from our security standpoint. So we constantly look at where we need to evolve. A lot of attacks now are looking at cloud services. So we are trying to see how we can show up our cloud services that we use, pull the log information where we can, and try to actually enhance what we're currently doing. There's really no silver bullet to solving the issue of security. So it's really constantly looking at where we can derive efficiencies to help our program. I wanted to ask you about pricing. Are you a Splunk cloud customer? You pay a subscription? You pay a perpetual license? We did the subscription in the term. We're evaluating potentially moving to the cloud. It would be at near the end of 2018. We're not sure how we're going to go. Maybe we'll just put it in, say, one of the AWS or Azure, instead of maybe going with a cloud offering. Because personally, we like tweaking and doing a couple of things under the hood. So there's a little more change control in cloud. At least at the moment. Maybe that'll change over time. But we like to be able to quickly onboard data and do all this as fast as we can when we need to. And you priced the Splunk charger by sort of the amount of data? Or how is it? That's by the amount of data. So my follow-up is as the amount of data exponential as that data curve, growth curve, kind of grows, reshapes, if you will. Are you concerned about just the whole pricing model? Does it have to? I'll take that one. So the interesting thing about Splunk, it's actually disruptive or disruptor war. It can displace technologies within your environment, right? So we really try to consolidate things down and take out things that aren't needed. So in certain scenarios, we do a lot of vulnerability scanning and all that. We don't necessarily go buy the top-top-end product and spend a lot of money on that. We might buy something else or maybe use open source in the future, who knows. But get the information into Splunk and then use Splunk to do all the analysis. So we're paying like one or 2% of what a typical cost would be. And that license itself would pay for Splunk. So you get an asset leverage there. Yeah. Okay, and it pays for the data growth. As well, we're finding other benefits in the environment. Using predictive analysis, for example, we've Splunked all of our storage. And I gave that to my boss and I go, here you go, what do you think? And you can predict it out a quarter, you know, half a year or a year. And he was just ready to, you know, buy basically a million dollars of hardware and said, geez, I don't need to do that. That's pretty cool. So you're using Splunk as a capacity planning tool as well. We use it for many purposes, yeah. Very interesting. So it's actually, yeah. That says like a good year and bonus to me there, kind of. All right. Good job. Are you gentlemen both came down from Canada, is that right? Yes, we did. So my apologies for the unseasonably warm weather here. But I'm glad we have the lights on, which is something you're very familiar with, right? Transaltor. Thanks for the time. Thank you. Interesting conversation. Glad you both could be here with us today. Thank you. Thanks for inviting us. All right. Continuing more on our coverage, we're here at theCUBE at .com 2017. We'll be live here in Washington, DC. Take a little break back at 1.30 Eastern time. See you then.