>> Narrator: Live from Washington D.C. It's The Cube covering .Conf 2017. Brought to you by Splunk. >> Welcome back to Washington D.C., the Cube continue our coverage here of .Conf2017. It's the Splunk get together here in Washington D.C. We're at the Washington convention center where they have a record crowd, 7,000+ everyone having a splunking good time you might say. Dave Alante, John Walls here and we're joined by a couple of gentlemen who work with TransAlta. Kent Farries on the far left, who's a senior analyist working the security intelligence analytics as well at TransAlta Kent good morning to you sir. I guess good afternoon, we've crossed that threshold haven't we? And Ikenna Nwafor who's a senior information security specialist at TransAlta as well. So good morning to you. >> Thank you good morning to you. >> Kent maybe you could just tee us up a little bit about TransAlta. Tell us a little bit about what core function, what you all are up to and then how the two of you are helping that mission along it's way. >> Sure, TransAlta is a well-respected power generator and wholesale marketer of electricity. It's been in business for over 100 years. We're based out of Calgary, Canada and we have operations in the United States as well as Australia. Myself and Ikenna are part of the security team based out of Calgary and then we also have off shored or outsourced some of the security operations and our function. >> Which I imagine is vast. Right, I mean you've got you know, you're primary mission obviously security, I would assume of the grid, distribution of power. >> Kent: You are correct. >> That's your number one focus. Right, so talk about the complexities of that in general for our audience who may not be familiar with your particular business but you obviously can imagine the nuances and the sensitivities that you have to deal with. >> Kent: So do you want to? >> Ikenna why don't you take that. >> I think they found out that we are in the prior generation business, makes us a critical infrastructure. And that means working and having ties to the grid makes it very critical that we protect our critical information systems from the threat landscape currently in security so it's a vast responsibility for the team, and we have regulatory requirements we need to abide by, things around (inaudible) and compliance requirements so that's really a very daunting task for us to mate with from a security standpoint. >> Right so it's critical infrastructure, that is distributed in it's nature, so it's high value, you're a target. You got to wake up every day knowing that. >> Yeah sure. >> Okay, so maybe take us through sort of your Splunk journey and what role it played kind of the before and after and how has it affected your business? >> I'll take that. So in the mid-2000s, we did security and everything but it wasn't really a key focus of senior manaagement or anything, it wasn't a lot of real breeches, most of the stuff that was going on was a nuisance, right? Out of the marketplace. >> Dave: Kind of hacktivists. >> Yeah, and we dealt with it, a lot of it still wasn't really coming through the internet, it was still coming through other means. So it wasn't at the forefront, even though we tried in say 2006 to make sure that security was at the forefront management wasn't quite ready at that time. Wasn't big breaches or anything. Around 2009 is our first introduction to what we call the SIEM, Security Information Event Management Solution, basically log management. We implemented that in 2009, and then we had that running for about five years until about 2014, but we started to lose some confidence in that tool, it just didn't give us the information that we wanted or needed to properly detect, respond to today's threats. So we stumbled upon Splunk, it took a little while to actually buy it. One of the system engineers tried to sell it to us we said nah, come back later. Nah, no, I don't even know what it is. And then finally I actually spun it up a proof of concept and I go this thing's amazing. Everything I ever thought of doing, I can actually do with this tool. This is wow. So took the POC, sold it to management, come January 2015 we implemented it, we hired the company out of Ontario to help stand it up, and bring all the data in. It was amazing and we had everything we ever wanted. It blew away our previous security information management system. >> So the SIEM fell short, you said because it didn't really give you the information you needed. Was it also a case of it was just too much information? >> It was difficult to use, so we actually went on training when we implemented the original one in 2009. So two weeks of training, down in the U.S., come back, architect still had a consultant help us stand it all up. But we couldn't build the use cases that we really needed. We were happy at the time, just to get log data, but there's no data enrichment or good correlation capabilities or it was super super difficult to implement. You couldn't search something like Splunk Answers, which you can today. I need to Google anything and the answer's out there around Splunk which is just the community's phenomenal. >> So at the time you didn't know what you didn't know and then once you saw Splunk, it sort of changed your vision of what was possible but so you said it was amazing but why is it amazing, what is it about Splunk that the SIEM tools don't do? >> I think to Kent's point, part of the challenge we had with the previous SIEM tool was the fact that it required a whole lot of work to even get a single simple use case in place for our security. Where as when we had Splunk in place, one is onboarding data logs from various sources was really really dead simple. The initial set up was within a day or half a day to basically replicate what we had from our previous SIEM, which was really fast. And then the other thing is Splunk provided a whole lot of flexibility where you really didn't need to go for some two weeks training to actually get going initially. And through the period we've had Splunk, we've seen that there's been a lot of things we've been able to achieve that we couldn't accomplish when we had our previous SIEM. >> Like for example, I mean what's it letting you do now that day to day that you couldn't do before? >> So if you buy a SIEM, typically it's in a vertical. It's serving one purpose. When you implement that it's usually the security team that gets to use it, and you got to bring in all this log data. Your other teams, say in operations or whatever, they want their log data too but they're in a totally different system, with Splunk it's a platform for us. So we bring all the data in, it's consumed by the IT security, it's consumed by dev ops and operations. So the same amount of data that you bring in say from an endpoint, we'll use it for detection forensics type capabilities, but the desktop team can use it as well to see is there application problems, desktop problems. Do I have drivers or something on a desktop that needs to be updated. We can be more proactive and help out the user so for us it's like a fabric. The foundation so once we've got that laid, yep? >> So all these use cases that you're laying out, previously you would have to essentially customize for each use case, is that right? >> Previously we couldn't even do some of them and then the other thing is we would most likely need to engage a third party contractor to assist us with that. Somebody who is a specialist in that field, whereas with Splunk some of the key things that helped us with Splunk is that maybe in the process of responding to a security event. We could think up ideas of we need this information, how do we get it? And on the fly we can easily build up a use case within minutes to get the information we need from Splunk we don't need to consult anyone, we don't need to read up manuals and for instances here we really need information to help us with building up the use cases going to like Kent mentioned earlier, going to Splunk Answers, you most likely get, so there's a broader community with Splunk that really helps with giving you the information you need to help you in your Splunk journey. >> Okay, so it's more intuitive I'm hearing and it's got the data that you need. >> Exactly. >> And so but even if you had an equivalent of Splunk Answers for your previous SIEM tool, you're saying you wouldn't have been able to because it's not flexible enough to architect what you needed? >> Ikenna: Exactly. >> And I'd like to just put a comment in there. I've been in IT for a long time. And I've always wanted to say, build my own database to bring stuff in and do different things, so I'm pretty good at scripting, but I don't want to be designing a full application or whatever. When I saw Splunk and how easy it was to onboard data, I go wow, this is amazing. So when I brought the consultant in and we stood up our original infrastructure, not only did we stand up ES within two weeks, enterprise security, we also onboarded all my custom stuff, like PowerShell scripts, everything else so we brought in acting directory data into Splunk and made it a PVR for us. So we go back in time and look at any one who their manager was and everything that's happened to that account at that exact time and we can correlate that with IP information everything else. As well we have all of our floors are mapped out. We know where you are in any given building or facility. So we were able to do that at a point in time, 'cause there's a PVR. We don't lose that information. And that's data enrichment, and we couldn't do that in the old system. >> So you had a time machine for your machine data. >> Kent: Yeah, it is, absolutely. >> Okay, cool. Now back to your business a little bit, so there's a physical security aspect of what you guys have to worry about as well. And I'm wondering if you could talk about that and how just the sort of attitude you touched on this before, Kent but how the attitudes towards security have changed and evolved over the last decade. Obviously greater awareness. Has that trickled into the lines of business? Or is it still mostly an IT and a security pro problem? >> I'll let Ikenna answer this. >> So really, for us it's been a journey for the last little while around security. And a couple of things we've had over the past few years is spreading the awareness around security across the business and that's really gained traction where it's no longer just the IT security folks talking to the business about what they need to do for security. But also the business getting back to IT security and trying ones they want to implement, setting up solutions trying to figure out okay, what do we do for security? Can you help assist us with something around risk assessment and really over time that has really helped spread that awareness and also we do a whole lot of things around trying to build a security program through performance assesments, that would be useful to identify gaps. And being able to communicate with the stats to senior management, around getting the necessary buy-in to proceed with whatever initiatives we want to run along with from a security standpoint. You want to add to that? >> I think that's good. >> Yeah, I'm sensing that prior to Splunk it was an uphill battle to get management to invest. Because they probably said, alright we're going to throw money at it, what's the result that we're going to get. As you can present metrics to management, it's easier to justify the investments because they're going to be able to see the outcomes, is that fair? >> Yes, definitely. I think prior to Splunk really we had certain sets of metrics but what Splunk has really helped us do is really consolidate all the log sources we have, get the right information and be able to actually provide a holistic view of our security program to senior management and show them across the different business units where we can get value for investment pointing to security. >> And have you evaluated alternatives, I know those competitors, they've bumped up in the past couple of years, have you evaluated those? Or did you at the time? >> Yeah so in 2009, we looked at a few different vendors and we picked a market leader at the time. There's a couple that we liked more than the market leader but they just didn't scale to our size. Back in those days certain vendors would call it events per second or whatever, we did some analysis and go, they just can't scale. That one back in 2009 is now a market leader. It's pretty good, it looks really interesting and everything as well there's about two or three players out there that I think look great from a SIEM perspective, but if you think of us, where we are at a SIEM is a component, but we actually have a platform. And management's bought into the platform, not only a SIEM, they didn't even know what a SIEM really was, before say 2013. And now they just know that we can provide information when they ask for it. If we don't know, we can get the answer within minutes or maybe hours sometimes depending on the complexity of the query, but we have all the information, we have all the PVR, time machine as you mentioned. It's all sitting there. We brought in most of our data, we got a couple little pieces we're still working on, there's different cloud information we're bringing in or other data enrichment. We can tell for example, an ISP anywhere in the world. We can tell our user visited that ISP. Or that attacker came from that ISP. Let's lock that whole ISP out. We have a lot of interesting capabilities where we don't know if we can do that in those other tools. >> So what's your headache of the future? It sounds like Splunk has done a lot to get you up to speed and get you to a very high comfort level now, looking down the road here, what's the next? >> Quickly start and then I think Ikenna wants to speak to this as well, one of the things that we need to do is we're getting better at detecting and responding. We've really focused a lot on prevention to make sure we can prevent what we can. But it's impossible to basically prevent everything, everybody knows that. You see it in the news. So we're trying to get better at detection and response. One of the shortcomings that we've noticed is that we can't always respond as humans fast enough. So we're trying to automate that, get richer information which Splunk allows us to do, so we call them like high fidelity alerts or high confidence alerts. So if we see that, that should never happen in our environment we'll shut that workstation down, disable that account, or cut off that subnet or something like that so it will all be automated. And then us as a team, will come back after the fact and look at it and go oh, yeah that was good. Or oops we made a mistake, sorry about that. And we'll bring the machine back online. >> Yeah, apologize after. >> After, because they move so quickly, or at least what we're seeing, adversaries move fast. >> How about, you want to add to that? >> I think they key, the way we look at our security program is just being on a journey, because the threat landscape changes like by minutes or days really. There's never a point where we'll say we are done. We are fully okay from a security standpoint, so we constantly look at where we need to evolve. A lot of our techs now are looking at cloud services so we are trying to see how we can show cloud services that we use, pool their log information where we can. And I try to actually enhance what we are currently doing. There's really no silver bullet to solving the issue of security so it's really constantly looking at where we can derive efficiencies to help our program. >> I wanted to ask you about pricing. Are you a Splunk cloud customer? You pay a subscription, you have a perpetual license? >> We did the subscription to term. We're evaluating potentially moving to the cloud. It would be near the end of 2018. We're not sure how we're going to go, maybe we'll just put it in say one of the like AWS or Azure instead of maybe going to the cloud offered because personally we like tweaking and doing a couple things under the hood, so there's a little more change control in cloud. At least at the moment, maybe that will change over time. But we like to be able to quickly onboard data, do all this as fast as we can when we need to. >> And you priced, Splunk charged you by the amount of data? >> You pay by the amount of data. >> Okay, so my follow up is, as the amount of data exponentially, as that data curve growth curve kind of grows, reshapes if you will, are you concerned about just the whole pricing model? Does it have to? >> I'll take that one. So the interesting thing about Splunk it's actually disruptive or disruptor or, it can displace technologies within your environment. So we really try to consolidate things down and take out things that aren't needed. So in certain scenarios, we do a lot of vulnerability scanning and all that, we don't necessarily go buy the top top end product and spend a lot of money on that, we might buy something else or even use open source in the future, who knows. Get the information into Splunk and then use Splunk to do all the analysis. So we're paying like one or two percent of what a typical cost would be and that license itself would pay for Splunk. >> So you're getting asset leverage there. >> Yeah. >> It pays for the data growth. >> As well, we're finding other benefits in the environment using predictive analysis for example, we Splunked all of our storage, and I gave that to my boss and I go here ya go, what do ya think? And you can predict it out a quarter, half a year or a year and he was just ready to buy basically a million dollars of hardware and said geez, I don't need to do that. That's pretty cool. >> So you're using Splunk as a capacity planning tool. >> As well, yeah. We use it for many purposes. >> Very interesting. >> That sounds like a good year end bonus to me there, Kent. (laughter) Gentlemen you both came down from Canada, is that right? >> Yes, we did. >> So my apologies for the unseasonably warm weather here, but we have the lights on which is something you're very familiar with, right at TransAlta. Thanks for the time, interesting conversation glad you both could be here with us today. >> Thanks for having us. >> Alright continuing more our coverage here on The Cube for .conf2017, we'll be live here in Washington D.C. Take a little break, back at 1:30 Eastern time, see you then.

(soft music) >> Narrator: Live from Las Vegas Navada, it's theCUBE, covering Accelerate 2017, brought to you by Fortinet. Now here are your hosts, Lisa Martin, and Peter Burris. (soft music) >> Hey welcome back to theCUBE, I'm Lisa Martin with my co-host Peter Burris. We're coming to you live from Las Vegas, we're with Fortinet today, at their Accelerate 2017 event, which brings together end-users, over 700 partners from 93 countries, great buzz today, very excited to be joined by Richard Hannah, who is the VP of information services at Gibson Energy. Richard, welcome to theCUBE. >> Thank you for having me. >> Great to have you here, first and foremost, Richard, help us understand, what is VP of information services? >> So maybe first off, I'll just explain Gibson Energy. >> Yes, that was probably my first question. (laughs) >> So Gibson Energy is a Calgary Canada based midstream oil and gas company. But we do have locations throughout North America. In all the major oil base in throughout North America. We're considered a mid-stream oil and gas company, which if you, the categories of the, of the Energy industry is really, upstream would be the companies, that are taking the product under the ground. Downstream would be closer to retail, and we're in the middle, so midstream side, so basically that entails, logistics, so, think trucking, train, some moving of the oil and gas, um, infrastructure, around storage, um >> You're getting into refinery >> Pipelines that kind of stuff, yeah, and then the marketing side, would be, the actual going to the end customers, so our marketing group would be looking for the end customer, like refineries et cetera. So that's kind of what makes up, makes up our company. About two, over 200 locations, pretty complex business. So to your question, Gibson is a 60 year old company never had a kind of a senior IT leader in its history, but through a number of acquisitions, we had doubled in size, kind of coming into, 2013, and so I was hired as their first VP of IT, and basically look after all of the strategy around technology, the operations around technology, security of technology for the company. >> So a lot of companies are now looking at IT as not just handling the operations of known processes and by known processes, I mean accounting, HR et cetera, >> Right. >> But they're actually looking at IT to be a partner in going after opportunities, that may not be so well formed. >> Right. >> That may require analytics or be dependent upon analytics, is Gibson starting to think in those terms? Is that a part of your remit as an executive within Gibson, is to help think that process through? >> Definitely yeah, I think you know, there's obviously the normal day to day keep the lights on, of IT, and there were some, major investments, and transformations if you will, that needed to happen on the technology side, and that's kind of what went on in the, say the 2015 to 2016 range, but now we are actually, you know as you discussed, we're actually now looking at ways of using technology to add value to the company, I think, you know IoT, is a great example of that, we're doing some interesting things with IoT, doing some interesting things with HoloLens, so we're actually starting to, you know, be that true, kind of, strategic enabler for the company. >> Well talk about some of those IoT opportunities, I mean, certainly, in the midstream oil and gas universe, there's a lot of very, very expensive equipment >> Right. >> But it has to be maintained and taken care of. So how is IoT starting to impact the way, the business operates >> [Right. So yeah, as you mentioned, we have, you know, thousands and thousands of devices in the field. >> Peter: Not little tiny things. >> Not little tiny things >> No. >> These are big things. >> Yeah. >> Bigger than a bread box kind of stuff. >> Exactly. So, um, you know, before the concept of IoT, um, any monitoring, or data that you had to get off any of those devices, was largely manual, or didn't exist at all. So a great example of our first, interest in IT was with one of our disposal wells, well sites, in the middle of Alberta, and, basically, you know, it disposes of things that can't be used within the, you know, within the downstream side of the business, so it environmentally safely disposes of dirt and mud and those types of things, water, a lot of water that obviusly comes out of the production side. So that disposal well, think of it as a large heater that, heats up to you known large, you know, temperatures and as part of the disposal process. So prior to IoT, there was no way to really have any data on how that well was functioning, and when was the proper time to actually do preventative maintenance on the well. So we connected the well to you know, using IoT technology, through to the Cloud, and then, and then provide an analytics on the back end, to actually provide information on how that well was actually performing, from a heating standpoint, et cetera. So the operation team can actually, now real time, look at how that well is performing, and then perform maintenance when it's actually time to do it versus just doing it, you know based on gut feel. So save you know, thousands of hours of maintenance, thousands of man time, et cetera, so that's just one example of how we're connecting, you know, some of our devices. We are actually now starting to connect our our weight scale, which is part of our our logistic side of things. So again, prior to connecting those, the weight scale, somebody actually had to go out and take the measurements, write them down, take them back and put them into the operational system. Now, we can do that real time as well. So considerable efficiencies gained at the same time, you mentioned the word transformation before, I think you both did, you also talked about this growth there, so from a Cloud journey perspective, as we think of transformation in that sense, what is what's been the strategy that you've been employing as your generating, bringing more IoT devices online, to support the business, make it more efficient. What has your journey to the Cloud been, especially related to the growth that's happened in such a quick pace? >> Right. So, when I arrived back in 2013, as I mentioned, there was a fair bit of transformation that had to happen, on the IT side, and we're talking, you know, new ERP, new, so a lot on the application side including, new ERP et cetera, but on the infrastructure side, we required, again, a lot of transformations, sorry to keep using that word, but I think it's overused a lot, but it's the best way to describe what was happening. >> Evolution, transformation >> But, everything from our network, to our data centers, to security et cetera. So on the data center side, because of, the number of acquisitions the company went through, we actually, were sitting with seven data centers, and for a company our size, I mean way too many data centers a lot of cost, a lot of, you know, man power, to maintain those data centers, four of them in the US, three of them in Canada. So part of our strategy as a pertain to data center, was to consolidate, and you know I remember the kind of as we spoke about the strategy, was we need to move from somewhere from seven to less than seven, and zero was the right answer. (laughs) So meaning, wanted to get out of the data center business, and wanted to to go to the Cloud as much as possible. So we're now on that journey, we have, by the end of 2017, we'll have one physical data center, and the rest will be in the Cloud with Azure. >> And you're on that journey with Microsoft Azure, which is a big technology, alliance partner with Fortinet. Talk to us about the consolidation of data centers, and where does the security angle enter the picture, is it there from the beginning or is it something that has evolved as you transformed? >> I would say, largely evolved, so as we started architecting our, our cloud strategy with Azure, I mean Azure comes with, you know, a lot of security components, but at the same time we wanted to be in control of our own destiny as it were, as it pertains a security, so we wanted to have access to the firewall side of things, so that's how we got into working with Fortinet. And it was, we had never been a Fortinet customer prior to that, but as we looked at how to we secure Azure and how do we provide access to our network team, as it pertains to our connectivity to the cloud. Fortinet kind of, came out as the clear winner, through our due diligence, and we've been quite impressed with their capabilities, their partnership with Microsoft and Azure and their, you know, their ability that helped us architect a real secure solution as pertains to our cloud connectivity. So over the next couple of years, you're going to see more IoT? >> Definitely, that's 2017, I's say you know, two main strategies for 2017, security and IoT. >> So are you going to be seeing more edge oriented IoT >> Yes. >> So you're going to be, doing a fair amount of processing close to the end because of physics, so one of the things that we say, is we think that there's going to be less data move back to the Cloud, and more Cloud move to the edge. >> Right. >> How are, how do you see the relationship between, midstream oil and gas, being, processing at the edge, doing, running models at the edge, and making sure that the data that's in flight, which can be very strategic and very valuable, a lot of different dimensions remains secure. >> So you know as I mentioned at the outset, very complex company, and moving a lot you know, a lot of might, you know, what we call, oil and gas, and the other products that go with that. And I think, so if, as we look at IT, similar, right, very complex, network, very complex system that we have in place. And so, analytics is becoming, you know, quite important, to our whole running of the business, and obviously IT being the enabler of analytics, so, that is, you know, that's really what's moving us towards, and to do that, sorry, and to do that with, devices in the field, thinking your network is becoming very complex. So, not just wired devices any longer, wireless is a huge part of our network now, and keeping those things secure, and the fact that we're actually connecting to things that run, you know, the crown jewel, so to speak, makes it even more imperative that we have, you know, very, focus on security, and obviously great partners like Fortinet to help us keep those assets secure. >> From a security perspective, just curious from your standpoint, are you kind of the, the leader of that digital army, within Gibson or with your other peers on that c-suite to facilitate not only this journey to cloud, and I really liked how you about it Peter with the cloud moving out to the end points, what's your role in sort of, and how is it measured, facilitating security from, from that, eventually one data center out to those mobile IoT devices in the field. >> Right. So, I mean you know, as I mentioned, security is kind of one of our top strategies, unfortunately, I guess it has to be. But it's not hard to sell the importance of security, with, you know, the other senior leaders of the team. I think, the you know, the incidence that are happening in the world and the media, attention on security, makes it, makes >> Even in Canada. >> Even in Canada, yeah. (laughs) Makes it, you know, apparent that, that is kind of one of the questions that everybody's asking, >> Right. >> And in our business energy business as well, I mean, health, you know HSS and eHealth, security is paramount to what we do, you know, physically in the field, so security, from a digital standpoint is, I guess an easy sell. To your question, it's very top-of-mind everybody and IT kind of holds that banner as it, as it pertains to um, you know, the security of our digital assets. >> In some, in some senses, you might be able to say that some of the recent breaches, and we know that now they happen daily, but some of the ones that have been, in the media that you mentioned, could in some cases, in your role, maybe even be an advocate or an advantage for, you were saying it's kind of an easy sell, we understand the importance here. We want to get out ahead of it. Understanding, at some point, we're probably go into, get to the point of really being able to limit damage, that it's not a challenge in terms of the buy-in from your executive management. >> Right, and you know, the risk I think for us is disruption, um, and you see, you know, there's incidences around the globe, where, whether it's, you know, other utilities have been disrupted, you know, through breaches, so you know, that is our focus is, how do we ensure that our day to day operations are not disrupted by you know something that could have happened to from a, you know, from a digital security standpoint. >> Got it. Well it sounds like you have a quite a big 2017 ahead, continued success in the big data center, from seven to eventually zero with Microsoft Azure, that you're going to do. We thank you Richard Hannah, VP of information services, at Gibson Energy, thank you so much for joining us on theCUBE today. >> Alright, thank you for having me. >> And on behalf of Peter Burris my co-host, and myself Lisa Martin, thank you so much for watching theCUBE, stick around and we'll be right back. (upbeat music)