>> Live from Boston, Massachusetts. It's theCube. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone. Welcome back to the live Cube coverage here in Boston, Massachusetts for AWS, Amazon Web Services Reinforce with their inaugural conference around security, I'm (mumbles). We've got two great guests, from Splunk, Cube alumnis, and also, we do the Cube coverage Dot Conf., their annual conference, Haiyan Song, SVP, General Manager Security Market, Oliver Freidrichs, Vice President of Security Products, formerly with a company you sold to Splunk, doing Security Phantom, which was mentioned in the partner summit, so congratulations. Great to see you guys. >> Thank you. >> Thank you for having us. >> So you guys are a really great example of a company that's been constantly innovating, on top of AWS, as a partner, differentiating, continuing to do business, and been successful. All the talk about Amazon could compete with partners, there's always been that myth. You guys have been operating successfully, got great customers on AWS, now you have the security conference, so now it's like a whole new party for you guys. 'Cause you don't go off to reinvent anymore, certainly, the big event, what do you guys think about all this Reinforce focus? >> First of all, I'm just super impressed. The size, the scale, and the engagement from the ecosystem that they have over here, and I think, you know you mentioned we've been really partnering and being successful. I think the secret is really about, just be very customer-focused. It's about what the customer needs, it's not what does each of us need, and when we have that focus, we know how to partner, we know how to engage. One of the examples that we have here is we're partnering up as the capture the flag exercise and it's powered by Splunk, it's put up by AWS Reinforce, and we wanted to bring the best user engagement, gamification of learning to this audience. >> And there's a demand for a security conference because a new breed, a new generation of engineering and enterprises as they move to DevOps, with security, all those same principals now apply, but the stakes are higher because you got to share data, you got to get the data, it's the data-driven problem. You guys are thinking outside-- I think four years ago at Dot Conf, the cyber security focus front and center, mainstream. >> Very much so. And I think for us, security is a big part of our user conference, too. But we're getting inspirations from this event and how we can further, really implify that message for our customers. But we're just so glad we're part of this, thank you for having us. >> We're glad, big love covering you, big success story. Oliver, I want to get to you on the Phantom. Yesterday it was mentioned in a great demo of the security hub, security hub's the big news here, it's one of their major announcements, what is a security hub? >> Yeah, so security hub, and you're right it was just announced that it reached general availability, which means it's available now to the rest of the world. It's a place to centralize a lot of your security management in AWS. So when you have detections, or Amazon calls them findings, coming from other security servers so they're centralized in security hub, where you can then inspect them, take action, investigate them. And one of the reasons we're here, is we've established an integration with security hub, where you can now take a finding coming from security hub, pull it into Splunk Phantom, and run an automation playbook to be able to, at machine speed, take action on a threat. So typically, you know if you're a human, you're looking at an event, and you're deciding what do I do, well I might want to go an suspend an AMI or go and move that AMI or change the access control group to a different access control group so that AMI can only communicate with a certain protected network if it's infected. Automation lets you do that instantaneously, so if you have an attacker who unfortunately may have gained control of your AMI, this allows you to react immediately, very very quickly to take action in that environment. >> And this is where the holes are in the network, and its administrative errors and (mumbles) sittin' out there that someone just configure it, now they're like, they could be out there, no one knows. >> Exactly. >> Could be just tired, I didn't configure it properly. But you guys were in the demos, I want to get your reaction that, because I was sittin' in the room, they highlighted Phantom in the demo. >> That's right. >> And so that was super important. Talk about that integration. What's actually going on under the covers there. >> Yeah, so at a basic level, we're pulling findings through the security hub API, into the automation platform. And then at that point, a playbook kicks off. And a playbook is basically, think of it as a big if this/then that statement. You see a threat, and you go and take a number of actions. You might go and block a port, you might go an suspend that AMI, you might go and disable a user, but you basically build that logic up based on a known threat, and you decide, here's what I'm going to do when I see this threat, and I'm going to turn that into a codified playbook that you can then run very rapidly. On the back end, we've had to integrate with a dozen other APIs like EC2, S3, Guard Duty and others to be able to take action in the environment as well to remediate threats, like changing the access control list or group on a resource. So it's closing that end-to-end loop. >> Hold on, Dave , one quick question on that followup. Then the SISO came in from Capital One and was off the record with this comment, was not really a sensitive comment, but I want to highlight and your both reaction to this. He says in terms of workforce and talent, mentality, 'cause the question came up about talent and whatnot, he sees a shift from better detection to better alerts, because of some of the demos, and implying, kind of connecting the dots, that the trend is to automate the threat detections the way you guys had demoed with Phantom, and then he was tying it back to, from a resource perspective, it frees his team up to do other things. This is a real trend. You agree with that statement? >> Absolutely. >> What's your thoughts? >> Honestly, we believe that we can be automating up to 90% of the level one analysts. There's a lot of routine route work that's done today in the SOC, and it's unforgiving, nobody wants to be a Tier One analyst, they all want to get promoted or go somewhere else, because it's literally a rat race. >> It's boring and it's repetitive, you just automate it. >> Who wants to do that, so we can automate that, we can free up about 50% of the analysts' time to actually focus on proactive activities, things that actually matter, like hunting, research and other development, writing counter-measures, versus the continually keeping up and drinking from a fire hose. >> So I wonder if we could talk about how Splunk has evolved. You guys started before cloud, which came in 2006 and then really took off later, before the sort of big data craze, and you guys mopped up in big data. You never really use that term in your marketing, but you kind of became the big data leader defacto, you got an IPO with actually relatively, by today's comparisons, small raises, >> Compared to today, yeah, yeah (laughs). >> Incredibly successful story, very capital-efficient. But then the cloud comes in, you mopped up on prem, how would you describe how the cloud has changed your strategy, obviously you go out an acquire companies heavily focused on automation, but how would you describe your cloud strategy and how has that changed Splunk? >> That's a great question. I think the fact that you have so many people here, just tells you that the whole industry is going through this transformation. Not only the digital transformation, the cloud transformation. And I'm glad you mentioned our root, it's all about big data, and nowadays security, in many ways, is actually more about data than anything else. 'Cause the data represents your business, and you protect your data, how do you leverage the data, represents your security strategy. The evolution for us, when you zero that into cloud is, we have really been a very early adopter of cloud, we've been providing cloud services for our customers from the very beginning, at least six years ago when we introduced a product called Storm and we continued to evolve that as the technology evolved, we evolved that with customers. So nowadays you probably know cloud is one of our fastest-growing segments of our business. The technology team has been really innovating, really really fast. How do we take a technology that we built for on-prem, how do we rebuilt it to be cloud-native, to be elastic, to be secure in the new way of DevOps. Those are some of the super exciting things we're doing as a company, and on the security side we're also, how do we help customers secure a hybrid world? 'Cause we truly believe the world going to stay hybrid for a long long time and we have companies like AWS really sort of pioneering and focusing and doing things great for the cloud, we still have a lot of customers who need companies and technologies and solutions like what Splunk bring in to bridge the world. >> I want to get you guys' thoughts on some comments we've had with some SISOs in the past, and I really can't say the names probably, but one of them, she was very adamant around integration. And now when you're dealing with an ecosystem, integration's been a big part of the conversation, and the quote was, on integration, "have APIs and "don't have it suck." And we evaluate peoples' integration based upon the qualities of their APIs. Implying that APIs are an integration point. You guys have a lot of experience with APIs, your thoughts on this importance of integration and the roles that APIs play, because that's, again, feeds automation, again it's a key, central component of the conversations these days. Integration, your reaction to that. >> So, maybe I'll start. I'd say we would not have had the success of Phantom Cyber or the Soar market, if not for having those APIs. 'Cause automation was not a new concept. It's been tried and probably not succeeded for many times, and the reason that we've been experiencing this great adoption and success with Phantom technology is because the availability of APIs. I think the other thing I would just add, I'm sure he has lot of experience in working that, Splunk was always positioned ourself as we want to be the neutral party, to bring everything together. And nowadays we're so glad we're doin' the integration, not only on the data side, which is still important. Bring the data, bring the dark data and shining a light on top of that, but also turning that into action through this type of API integration. >> So good investment, betting on integration years ago. >> Absolutely. >> Early on. >> We also change our culture. We previously say how many apps we have in our Splunk base. Now with Oliver being part of the team, Phantom being part of the portfolio, we say how many apps and how many APIs we had to integrate. That a change of metrics. >> All right, Oliver. It's up to you now. I'm sure you know I know where you stand on this, APIs being, a renaissance of APIs going to the next level, 'cause a lot of new things goin' on with Kubernetes and other things. You've got State now, you got Stateless, which is classic rest APIs, but now you got State data that's going to play a big role. Your thoughts on that, don't make the APIs suck, and we're going to evaluate vendors based upon how good their API is. >> Yeah, I think, look it's a buying decision today. It's a procurement decision whether or not you have open APIs. I think buyers are forcing us as an industry, as vendors, to have APIs that don't suck. We're highly motivated to have APIs that work well. >> That sounds like a t-shirt ready to come out (laughs) >> That's a great idea. >> The Cube API's coming, by the way. >> What does that mean, to have APIs that don't suck? >> So the, a great definition I heard recently was, the API that you use as a vendor to interface with your product should be the same API that customers can use to interface with your product. And if all of a sudden they're different, and you're offering a lesser API to customers, that's when they start sucking. As long as you're eating your own dog food, I think that's a good definition. >> So it's not neutered, it's as robust, and as granular. >> Exactly, exactly. And I think what, 20 years ago there were no APIs in security. To do what we do today, to automate all of this security response techniques that we do today, it wasn't even possible. We had to get to a certain level of API availability to even get to this stage. And today, again, unless, if you're a black box, people aren't going to buy your product anymore. >> Yeah, so, again, go the next level is visibility's another topic. So if you open the APIs up, the data's gettin' better, so therefore you can automate the level one alert, threat detections, move people up to better alerting, better creativity, then begs the question, at what point does the visibility increase? What has to happen in the industry to have that total shared environment around data sharing, because open APIs implies sharing of data. Where visibility could be benefited greatly . >> Yeah, I think visibility is really the key. You can't measure what you can't, you can't manage what you can't measure, and you can't, you have to see everything in your environment, your assets, users, devices, and all of your data. So visibility is essential. And it comes in a number of forms. One is getting access to your policy data, your configuration data, seeing how are my things configured? What assets do I have? Where are my S3 buckets? How many AMIs do I have? Who owns them? How many accounts do I have? I think that was one of the challenges before, probably the last three to four years, before that period, enterprises were setting up a lot of these shadow cloud environments, 'cause you could buy Amazon with your credit card, essentially. So that was one of the problems that we would see in the enterprise, when a developer would go and create their own Amazon environment. So getting visibility into that is really been a big advancement in the last few years. Finding those things. >> The birth of multi-cloud. Go ahead John. >> Doesn't make it easier. >> We were talking earlier in our intro Dave and I on the keynote analysis around you can configure it, you can secure it, and then we were riffing on the DevOps movement, which essentially decimated the configuration management landscape. Which was at that time a provisioning issue around developers. They'd have to essentially stand up and manage the network, and go and make sure the ports are all there, and they got load balances are in place, and that was a developer's job. Infrastructure as code took that away. That was a major bottom, hierarchical needs, that was the lowest need. Now with security, if DevOps can take away the configuration management and infrastructure as code, it's time for security to take away a lot of the configuration or security provisioning, if you will. So the question is, what are some of those security provisioning, heavy liftings, tasks that are going to be taken away when developers don't have to worry about security? So as this continues with cloud native, it becomes security native. As a developer, and I don't want to get in and start configuring stuff. I want the security team to magically, security as code, as Dave said. Where are we on that? What's your guys' thoughts on getting to that point? Is it coming soon? Is it here now? What are some of those provisioning tasks that are going to be automated away? >> I think we made a lot of progress in that area already. The ability to simply configure your environment, that Amazon has continued to add layers of check boxes and compliance that allow you to configure the environment far more seamlessly than having to go down into the granular access control list and defining a granular access control policy on your network ports or AMIs, for example. So I think the simplification of that has improved pretty dramatically. And even some of the announcements today in terms of adding more capabilities to do that. Encryption by default. I don't have to go configure my encryption on my data at rest. It's there. And I don't even have to think about it. So if someone steals a physical hard drive, which is very difficult to begin with, out of an Amazon data center, my data's encrypted, and nobody can get access to that. I don't even have to worry about that. So that's one of the benefits that I think the cloud adds, is there's a lot of default security built in that ends up normalizing security and actually making the cloud far more secure than traditional corporate environments and data centers. >> Well I still think you have to opt in, though. Isn't that what I heard? >> Opt in, yes. I would just add to that, I think it's like a rising tides. So the cloud is making lot of the infrastructure side more secure, more native, and then that means we need to pay more attention to the upper level applications and APIs, and identities, and access controls. I think the security team continue to have lot of jobs. Even yesterday they said well, not only we need to do what we need to do to secure the AWS, we also now get involved in every decision, all the other compa-- you know, like functions are doing, taking new sort of SASS services. So I guess message is the security professional continue to have jobs, and your job going to be more and more sophisticated, but more and more relevant to the business, so that I think is the change. >> So question. Oliver, you described what a good API experience is, from a customer perspective, Haiyan, you talked about hybrid. Can you compare the on prem experience with the cloud experience for your customers and how and they coming together? >> You want me to try that first? >> Sure. >> Okay. So, I think lot of the things that people have learned to protect or defend, or do detection response in the on prem world, is still very relevant in the cloud world. It's just the cloud world, I think it's just now really transforming to become more DevOps-centric. How you should design security from the get-go, versus in the on prem world was more okay, let's try to figure out how to monitor this thing, because we didn't really give lot of thoughts to security at the very beginning. So I think that is probably the biggest sort of mentality or paradigm shift, but on the other hand, people don't go and just flip into one side versus the other, and they still need to have a way of connecting what's happening in the current world, the current business, the one that's bring home the bacon, to the new world that's going to bring home the bacon in the future. So they're both really important for them. And I think having a technology as AWS and their whole ecosystem, that all embracing that hybrid world and ecosystem plate no one sort of single vendor going to do all of them, and pick the right solutions to do what you do. So in security, I think it's, you going to continue to evolve, to become more, when the security's built in, what is the rising tide that's going to dictate the rest of the security vendors do. You cannot just think as 10 years ago, five years ago, even two years ago. >> So that bolt-on mentality in the first decade of the millennium was a boon for Splunk. It was beautiful. 'Cause we got to figure out what happened, and you provided the data to show that. How does Splunk differentiate from all the guys that are saying "oh yeah, Splunk, they're on prem, we're the cloud guys." What's your story there? >> Our story is you can't really sort of secure something if you don't have experience yourself. Splunk cloud is probably one of the top, say 10 customers of AWS. We live in the cloud, we experience the cloud, we use the word drink, you know, like eat our own dog food, we like to say we drink our own champagne, if you will, so that's really driving lot of our technology development and understanding the market and really built that into our data platform, build that into our monitoring capabilities, and build that into the new technologies. How, you know, it's all about streaming, it's not about just somebody sending you information. It's about, in a hybrid world, how do you do it in a way that you, we have a term called the distributed data fabric search, because data is never going to be in one place, or even sort of in one cloud. How do we enable that access so you can get value? From a security perspective, how do we integrate with companies and solutions that's so native into the cloud, so you have the visibility not and the Bodong, but from the very beginning. >> So you're saying that cloud is not magic for a software company, it's commitment and it's a cultural mindset. >> Absolutely. >> Guys, thanks so much for comin' on, great to see you, we'll see you at Dot Conf, the Cube will be there this year again, I think for the seventh straight year. Oliver, congratulations on your product success, and mention as part of the AWS security hub presentation. >> Thank you. >> Good stuff from Splunk. Splunk is inside the Cube, explaining, extracting the signal from the noise, from one of the market-leading companies in the data business, now cyber security, I'm with (mumbles), we'll be back with more Cube coverage after this short break. (techno music)