 Welcome to theCUBE's continuing coverage of splunks.conf21. I'm Dave Nicholson, and I am joined by Chris Fulk, Director Cybersecurity Policy and Strategic Partnerships at MITRE Corporation, as well as Mohan Koo, the Co-Founder and Chief Technology Officer at MITRE Tech Systems. Now, gentlemen, we've heard this before, but I think this is going to be the best example of a conversation on this subject I've ever had. Security is a team sport. So let's talk about how that applies, where MITRE and D-TEX and Splunk all come together and work together. Starting with you, Chris. MITRE published the attack framework, and just so people are clear on that, all caps, ATT, ampersand, or and sign, I should say, capital C, capital K, looks like attack. That's how you say it. That framework was created by MITRE. It's a bit of a game changer. Now, enterprise security teams use that pretty religiously. So tell us about that and tell us what we can expect next from MITRE. So thank you, David. Pleasure to be here. I think that what made attack resonate with users is it's based on data. It started with data that we observed in our networks and organized around, at that time, the emergent principle that Lockheed Martin had put out on the kill chain. So it gave it structure. And we have been lucky that the community has embraced that concept of what we started off, we got the numbers completely wrong. We started off with 41 TTPs and that was because that was based on a small subset of data that we had. And what's been powerful and what's made it truly wonderful is the communities adopted it and that's what's added to it. It's an additive approach. And but it's all based on data and it's all just a fabulous opportunity for the community to come together. So what Myers really focused on is understanding how data and those problems come together and then we surround the ecosystem of that problem with things like language. So we give it a framework and we give it operational data so that it actually has resonance with the users of that community. So give me an example of the language that's used. You know, there are things that are under the heading of tactics as an example. Give me an example of some of those things. What's the term in plain English and what does it mean? So tactics are a way for an adversary to go about taking care of their business. So in the day when we were first thinking about this we thought about it as the old cartoons where you'd have the coyote and the sheep would check in. You know, the coyote was given his lunchbox. He was given it, if you think about it the adversary target list and he was given his tools. He would open up his toolbox and he would go after those targets for the day and he would use those tools. What we realized is that in most cases a lot of those tools were expensive to create. They were hard to train up on and so they tended to use the same basic tool kit over and over again. What changed was perhaps one little thing that they would exploit that was always changing. And so what I likened it to was a burglar. A burglar would show up with his bag of tools. He would have a crowbar and he would have a flashlight and he would have a bag. And what he would do is he sometimes choose to go in through the window. Sometimes he'd choose to go in through the door. Sometimes he'd choose to go in through the basement. It didn't matter, but once he got in the house he had that flashlight. He had that bag and he had that crowbar. I could figure out through my sensors what he had in his bag or with him. I could catch that and then I could alert on that and find the other pieces of that. And so that's what really tactics are about and getting that concept boiled down to a language that cyber defenders could readily understand and put into practice in their businesses. So Mohan, tell us about DTEX. And I'm particularly interested in the connection between DTEX and what Chris was just talking about that MITRE has provided us, this language that ATT&CK provides us. Essentially, you're listening for those things that go bump in the night. Chris has given us a language to describe them. Tell us how DTEX works. Yeah, so what we're doing, David, and thank you for having me as well. What we're doing is we're bringing to the table a whole different type of telemetry and it's all around human behavior. And how we got together with MITRE is actually a direct connection to how we got together with Splunk as well. I'm actually sitting here in Adelaide in Australia at the Australian Cyber Collaboration Center. And this is an initiative we put together with the state government of South Australia and federal government as well to actually bring everybody under one trusted roof so we could break down the silos and collaborate a hell of a lot better. As we all know, the bad guys collaborate extremely well. They share everything, including their IP and their tactics and their techniques, everything is shared. And that puts them at an extreme advantage to the good guys and girls, right? And so we've have to do a much better job at that collaboration. And when we came together and were introduced to MITRE here at the Australian Cyber Collaboration Center, we decided that taking MITRE's expertise and they've got like 15, more than 15 years worth of dedicated experience around behavioral science and how it contributes to insider threats and studying that in some depth, putting that together with the data that we're collecting for our enterprise customers was something that was really, really important. And actually, it was here in the Australian Cyber Collaboration Center that we first kept working together with Splunk and Splunk started to identify a problem statement amongst their customers too that, the data that exists out there for security operations teams just doesn't have that cleanliness and it doesn't have the context when it comes to human behavior. And that's really what we're bringing to the table here. So give me an example of a human behavior that you're looking for. Or, you know, so Splunk is providing this data that's being gathered from logs. These events are being rolled up and D-TEX is analyzing them. Can you give us an example that doesn't educate adversaries of behaviors that you look at? Yeah, absolutely. And I'll just touch on it and then I'll hand over to Chris because I might or are truly the experts of this stuff. But what I will say is that a lot of organizations when they think about human behavior and the insider threat per se, they always think about the malicious actor, right? The Snowden type character that's maliciously and intentionally trying to get access and take stuff. But it's much more than that. It's also insiders that do negligent things and it's insiders that are victims of their own lack of understanding of things that they're facing. And when outsiders are cleverer or more technically proficient, they can find ways to usurp the insider and get them to do bad things without them even knowing they're doing it. And so understanding intent and we call it at D-TEX, we call it indicators of intent are really important for us to know. Those indicators are what we've been working with Mitron for the last year or so, kind of understanding what the newest, most complicated indicators of intent are and how do we determine those to be able to know the difference between a malicious insider versus somebody that's just doing the wrong thing without even knowing about it? I don't know, Chris, if you wanted to touch on that a little bit. Yeah, Chris. Yeah, yeah, yeah, Chris, absolutely. You've, you know, Mohan's joining us from Australia. Chris, you and Mitre have done a ton of work with the US federal government around detection and prevention of those insider threats. Talk to us, talk us through that. And more specifically, tell us how that is applicable to non-governmental agencies. Yeah, well, so I mean, I think at the core of it, human behavior is human behavior. And whether those are being applied to critical infrastructures, whether they're being applied to working at a federal government organization or a state local government organization, it doesn't matter. Humans have behaviors. Every human has behaviors. What makes them unique is understanding the context behind those behaviors and then looking for indicators that are distinguishable from an individual doing his or her job, right? So one of the challenges that you have with insider behavior is that, you know, data collection is everyone's job at every organization, right? You're always trying to put together the numbers for the spreadsheet and to brief to your boss. Well, when you're doing that data collection, it can look like normal work and you can't trigger on something like that because otherwise you're gonna be triggering in every individual doing their job every day. So you have to add additional context and behavioral indicators to that, to understand how the individual is doing that differently in a case where they are up to no good, we'll say as opposed to under circumstances of doing their job in a regular course of action. So what we have long held as beliefs about how people behave are actually manifesting themselves differently in online behavior, how fast they click, what kinds of tools they use to do legitimate work versus the kinds of tools that they do to do a called illicit collection. Literally those kinds of subtle nuances. So while they might do the same collection activities, how fast they do it, where they put that information, how often they go back to the same site, those are indicators that when taken with that behavioral context really matter and that's what distinguishes them from just normal typical user behavior. Well, so how much does that context vary between private entities, governmental entities and across private entities? Is this a classic 80-20 situation where 80% of it's the same, 20% very different? What does that look like? Yeah, I would say that an 80-20 is a very good rule. I've probably put it up closer to 90 to 95 to five. So behaviors work the same. Now the protocols that organizations have are going to drive some of that. So a government organization is going to have certain things in place that a private company may or may not. So how locked down the systems are, the kinds of access, things that you allow. So do you allow USB drives? Do you allow those kinds of capabilities in your organization? So if you're a private sector organization, but even within a private sector organization, they run the gamut, right? So you have very locked down environments like banks and regulated industries and then you have very unregulated industries as well. So it really isn't about government and industry. It's about the kind of protocols that are already in place for other reasons that really drive the differences between that. And then you have, again, you have those additional safeguards that you have, say with a government organization in that you've got security vetting, right? So you've done security vetting of a lot of your employees, whether even if it's not security clearance, it's a personnel vetting. And so it's an additional level, but all it does is change the emphasis of where you place the value in your security mechanisms. So you mentioned a variety of contexts. Mohan, we've got a mass shift to remote working, obviously. Splunk has shared with us that the customers are concerned about giving people visibility without compromising privacy. And I say Splunk like Splunk is a person. We'd like to personalize everything here at the cube. But how is D-TEX helping with this challenge, this challenge of not being intrusive, yet getting the important work done that needs to be done? Yeah, that's a great question. And for us, we as D-TEX, we kind of grew up in Europe. That's kind of where we became an international organization. So employee privacy is at the heart of everything that we do and we bake privacy by designing to everything that we do. So we're actually able to pseudo-anonymize every bit of data that we're collecting so that you're actually really truly looking for bad behaviors or unusual behaviors. You're not looking for bad people or unusual people, right? Like it's a very clear distinction. And being able to do it in a way that gives you the organization, the visibility to prevent against risk and to de-risk the organization without infringing on anyone's privacy is really critical. As Chris was mentioning, even if you go to the private sector, you've got those very regulated banks or healthcare organizations that are typically quite locked down, but we're dealing more and more with high tech companies, right? A lot of Bay Area firm Silicon Valley companies which have always required the flexibility for their workforce, right? They want them to be innovative. They want them to do different things. And in order to do that, they need the ability to have any tools they need to get their job done. But in those environments, you can't have too many hard and fast controls. So how do we actually provide that visibility to the organization without infringing privacy? That is absolutely what the game is about. And so, you know, not kind of having to scrape screens and take keystrokes and take video capture, you know, that's the old school way of doing it. You know, in some cases, maybe you do need that level of surveillance, but in most cases, you absolutely do not. And so, you know, for many, many years, a lot of enterprise security organizations have been collecting way more data than they need to and taking way more intrusive approaches. And we're about backing that off and kind of getting the right balance between security and privacy. Because what we truly believe is where you overlap security and privacy, that Venn diagram that you get in the middle is where you get safety. And we really see it as an extension of health and safety. So Mohan, if we do all of these things correctly between Splunk, Mitre and DTEX, you get the perfect scenario where you're catching bad actors and you're not inconveniencing good actors. So what's your view of this? Dystopian future, Utopian future, a mix of both? Well, look, I think that the future really is, you know, as the title to this discussion is, it's a team sport, right? Like, and I think that the approach that Splunk is taking right now is absolutely the right one. Like we need to all come together. We can't be everything to everyone. I don't think there is a one size fits all solution in enterprise security today. And those organizations that understand that and recognize that, but neither is it, are we able to continue just kind of investing in hundreds of point solutions across the enterprise and layering them across the business like Band-Aids. We need that consolidation, but we do need to take best of breed solution providers to focus on those integrations and doing it properly. And that's what we've really enjoyed about working with Splunk over the last couple of years is kind of, you know, taking a very holistic approach and realizing that we all need to come together to play this team sport, because, you know, we as DTEX, we bring together a very clean data set that gives you that human telemetry. And then MITRE brings the behavioral science capability and behavioral science understanding and Splunk provides that big data platform to bring everything together and show it and visualize it. And really that's one way of looking at it. And I think, you know, going forward those vendors or those organizations that don't recognize that that proper integration, actual true integration has to be done collectively and it has to be done in a way that's light and easy for anybody to consume. Perfect way to wrap this CUBE conversation. Thank you, Mohan. Thank you, Chris. And thank all of you for joining us on this CUBE conversation, our continuing coverage of splunk.conf21 continues. I'm Dave Nicholson. Thanks for joining.