 We're live in Las Vegas for day one of two days of live coverage of the dot conference, Splunk's conference, the hashtag is Splunk Conf Tweet, and we'll be happy to talk to you. Our next guest is Jesse Trucks, cybersecurity engineer Oak Ridge National Laboratory, part of the Department of Energy. You're not shut down, so that's good news. You have money in the bank, you have a lot of money in the bank, you have a lot of money in the bank, you have a lot of money in the bank, you have money in the bank. Welcome to theCUBE. Well thank you, thank you for having me. It's always great to hear from Splunk executives about the ride they're on. I see it's a rocket ship for the company, it went public, doing great on the business side, got a great ecosystem, but talking to the customers and people who actually use the products, always the fun part. So I want to ask you, first question, you used Splunk early on, early on when they were first coming out, right? Yeah. They were like a tool. 2006, yeah. 2006, and now you use them. So what's your take on the transformation of Splunk? What is it turned into? Explain to the folks where it was and what it is now. So back in 2006 when they used it, it was really just a way to look at your logs that were on more than one system without having to log into every system and grab around and things like that, whereas now it is actually a data analytics platform. I never realized how much of a data geek I was until I had the power of Splunk in front of me and we've been using it now to find information in all kinds of different data, not just machine logs, so that we're transforming how we make our IT decisions and what kinds of applications and platforms to purchase in the future because we can do analytics rather than just using it as a log tool. A lot of things, Dave and I always talk on the Cube here about big data because we're fanatics about it. We're also data geeks. It's one of those things, the common thread amongst folks is that when stuff is automated for them, different skills kick in, analytical skills, creative skills, what other observations can you share? Splunk basically sets the table for you, you do all the stuff, a lot of manual work, say grab around and all that stuff's been eliminated. What new things that you're seeing being abstracted away that Splunk's doing that you can share with the folks out there? Basically what it does for us is instead of just looking at logs or just using it as a forensics tool, we can look at trending data and do statistical analysis on things that are of very large volume. We have somewhere between 6 and 12 gigabits per second most of the time running through our network and as a security person, we have to keep an eye on all of that all the time. It's like trying to find a speck of sand on fire hose so that the ability to do a statistical analysis on a broad, I guess I would say the broader view of all of the data that we have from all of our different appliances allows us to see things that we normally would not see. Like IDS may not catch something or this other thing might not catch something but we can see patterns that we weren't able to see before. So before we were wandering around in the forest and all we could see was the trees but now we can come back and we can see the whole forest. Talk about that. Is it the flexibility to handle diverse data sets and different data sources? Part of it is that it's become more than just a framework but originally it's because it's a framework that allows us to just dig around in our data and look at it and drill down in a variety of ways but now it's become an entire reporting platform and so our other option would be some of the other tools that are primarily security management systems security information management systems but we're starting to use it for non-security operational things and so as a result by continuing to use Splunk to minor data and to visualize data we can see things that we would not be able to see in a stock application that has a limited view and the less ability to drill down. Some of those stock applications that you're talking about they might give you more within a narrow view but none of them can handle the cross data sources of Splunk. I got a tweet this morning and I want to ask you because I like to ask practitioners because I was tweeting in the keynote and the practitioner said with things like elastic search and log stash which are open source capabilities why are people still using Splunk and I responded well it's because Splunk's a solution and it's got support but that's my answer I'm not a practitioner what's your answer? So elastic search and log stash and log stash was actually the creator of log stash who just hired by elastic search so I suspect that they may be looking for a broader view of commercial applications in the future but it has a limited ability to do the visualization and especially with Splunk 6 Enterprise now the pivot and data modeling allows you to use the information more without having to be a super techie code head whereas log stash and elastic search really I don't think that they're mature for non-technical people because the UI is really simple and there's not enough layers of tools on top of it and in addition to that we actually have looked at possibly using it because it can be expensive if you're in a larger organization and so with elastic search and log stash there's a lot of manual glue you have to do to get your data in and to move manipulate things to get reporting out whereas with Splunk I can just hand somebody an account into our search head and they can just get data out and I don't have to teach them how to do anything. So the value there is the productivity of the organization so you talked a little bit more about where you started using Splunk was it for problem analysis, problem determination and how that's evolved so originally it was just security logs related logs and so it would be machine data from syslog servers windows servers that were security related events and then all of our firewall logging goes into Splunk and so we would use it for correlating events across systems or looking up whether or not a firewall rule is being triggered or some particular connection is denied things like that. What it's now evolved into is we have, we use Splunk as our primary alert mechanism for a lot of our IDS and IPS traffic so the alerts go to Splunk and then Splunk is the actual mechanism to alert us it also, we're starting to do a lot of data analytics and visualization to see about usage trends of our network to understand our network beyond the simple is somebody trying to hack or is there malware and it's that extra layer of understanding what's really happening on a big picture that Splunk is giving us now that's where it's changed So Jesse you're doing work and if I understand it correctly advanced materials, clean tech nuclear non-proliferation but specifically in a cyber security context is that right? Yeah, so my job is I'm the basically my team is the security operational people that monitor the network and infrastructure of the lab basically all the computing resources and so all the scientists and researchers that are doing that research use computing resources and we secure and monitor those computing resources. So talk about as a security practitioner security changed over the last 10 years and how are you sort of adapting to some of the new threats, the changing threats, what has changed? So the biggest difference I think in the security landscape actually in my whole career in the last 20 years is that the volume of attacks and has increased to the point where it really is just a fire hose even in a small organization there's so many different things out there that you have to use technologies that are capable of adapting and to do statistical analysis on your information stream in addition to that the successful attacks have become extremely complicated because they're being driven by human actors there's more and more often you don't have your script kiddies that just download something and run it and they get into your system instead because there's so advanced technology and layers of security and monitoring we're finding that we can tell when a human is driving and there's command and control so the complexity and the way that you look at your systems has evolved to the point where without advanced analytic capability we can't do our jobs. So some other practitioners have told us that another big shift is that you used to put all the emphasis on the perimeter keeping people out and now when the bad guys get in they don't want to be found they're not doing jumping jacks but then I got in. So what role does analytics play in helping you find those types of activities? So it's amazing to me that the myth that having a bunch of firewalls still is propagated today, the crunchy outside chewy inside. We actually have multiple layers of firewalls and monitoring capability inside of our network as well as on the border and a lot more organizations are doing it this way. So we keep track of the system logs and the network device logs and we have all of that going into one place, splunked and by doing searches and analytics across all of that data we can then see activity for instance analyzing when the number of systems an account has authenticated to goes above a normal amount we get an alert and we do things like that reports that show us that an increase in authentication failures on a variety of systems not just Windows, not just Linux, things like that and because we can look at a variety of things like that we see patterns that emerge to show us potential intrusion activity. I wonder if you could put yourself, put your commercial hat on maybe give some advice to your peers in the commercial world I think a lot of people just I've always said John, security privacy it's two sides of the same coin some people disagree with that but I think with all the activity that's come out about prism and the NSA and so forth commercial entities are starting to pay more attention not only security, they're always very security conscious but also privacy now maybe maybe they should have been sensitized but you find a lot more business people are more sensitized to it. What advice would you give to your peers in the commercial world specifically as it relates to the cloud and security? One thing I would say is for US based organizations it strongly encouraged their security practitioners to become a member of the InfraGuard organization and InfraGuard is a public-private partnership with the FBI and the help organizations understand not just cyber security but obviously other security or physical security problems and infrastructure issues around national infrastructure but also they have a really strong component of helping organizations understand the threats that are out there so that's huge. The other thing that I would say is that we've been talking about defense in depth for years and we've been talking about in more recent times in security about how you have to have a holistic view of your entire organization and understand how your applications and people work in order to secure them in a way that is effective but a lot of people are doing this because I think it costs a lot of money and it can cost money because you have to spend money on expensive commercial products but if you don't do this it's the cost it's that return on investment isn't a parent like disaster recovery, security until there's an incident they don't want to spend the money on it but when that incident happens and your front page news on the New York Times and CNN and Fox News then your reputation loss and your stock price loss and possibly loss of customers is absolutely going to be more than you spend on moderate controls and security and so spend the money spend the resources on getting people trained and have dedicated security people no matter what size you are the business case is the reduction in the expected loss if you will or the brand loss which is these days almost a certainty that you're going to suffer so it's like backup it's like backing up your data you're going to lose data if it's not backed up you're going to lose money yeah so people always say well if I get hacked, no when you get hacked everybody gets hacked national labs, FBI, CIA these people have spent we spend a ton of money on security and we're very very good at it and it still happens because nobody can be completely secure so protect yourself monitor your infrastructure spend the money, spend the resources and let your people get training now earlier we were talking about the expensive products like Splunk the pricing model if I understand it is per gigabyte index which is per day per day right so how do you feel about that model what works about it I know there's been some backlash on surge pricing and Splunk has dealt with that as well but what's your sort of as a customer practitioner what's your opinion of the pricing model relative to some others that you might see in the industry you know per core per cluster you know I actually really think that it works well for most organizations because if it's per system or installation footprint then what happens is you get a big system and then you can't expand because you have to spend a lot more money to expand well what happens though is what if you start doing more analytics and now your server is slow and you have to and you have a problem so you need another server with Splunk that problem goes away and I really like the pricing model because so what I do is if a new group or project wants to put more data into Splunk they give me money to expand my Splunk license and they run a new server I don't have to pay for a new server and in some cases it's a new project but I have enough license existing so that project doesn't have to pay me for more license but they build a new server I can add servers any time I have a search head that starts getting bogged down I can just install another one and the expansion capability and cluster capability I can do it across as five systems or five hundred systems and the flexibility to meet the IT needs of my organization and it's great for Splunk because you're going to increase adoption yes absolutely the frictionless growth you can do things fast and the agility is amazing you don't have to worry about procuring hardware it's simply just approving the license and in some cases we've had one of our technical architects he likes doing a ton of data analytics we just spun up a VM for him and give him his own search head he can do anything he wants and it doesn't matter and by giving him that capability then he's helped us expand the footprint of Splunk in general because he's realized that this is a good tool for us this is why I'm so excited Dave we always talk about the speed of entrepreneurs getting stuff on the cloud and just the ability of the friction that's taken away from the inertia of buying gear provisioning, just the automation allows a lot of people to do their job I want to get you a quick plug in Splunk, just give a quick overview of what that is and explain to the folks some highlights of that presentation so it's actually based on a talk that I did at Splunk yeah Splunk live in May in DC which is also the video is online as well and so my presentation is tomorrow Wednesday at 1.45pm and I don't remember the room and it is an automating operational intelligence using summary indexes and statistical analysis and so essentially it's the idea of, we have billions of events and I want to compare my last second of say firewall transactions right, to the mean and the standard deviation of the last several months, how do I do that in a real time fashion without spending you know five million dollars in clustering hardware and I'm going to show people how to do that because it's something that's very real for us and needing to be able to overcome that performance barrier we really appreciate you coming on the queue again that sounds like a presentation Dave and I were like just writing notes down, can you repeat that again operational indexes one more time just a title, it just sounded good automating operational intelligence summary indexes and stats that's the kind of stuff that Splunk gets in the weeds on and automates, again this is what, when you see these mega trends making it easier, simpler and abstracting way complex, these reducing the steps it takes to get the value, that's an awesome value proposition, again that's hard stuff, in time analytics near real time no limits okay, Jesse Trucks thanks for coming inside the Cube, Department of Energy doing some really high end stuff, appreciate your time this is the Cube where we extract the seedling from the noise and share that with you, I'm John Furrier with Dave Vellante we'll be right back, two days of live coverage here at the Splunk conference, we'll be right back