>> Welcome to theCUBEs, continuing coverage of Splunk's dot conf 21. I'm Dave Nicholson, and I am joined by Chris Faulk, director, cybersecurity policy, and strategic partnerships at MITRE corporation; As well as Mohan Koo, the co-founder and chief technology officer at tech systems. Now, uh, gentlemen, we've heard this before, but I think this is going to be the best example of a conversation on this subject I've ever had. Security is a team sport. So let's talk about how that applies, where MITRE and D techs and Splunk all come together and work as a team. Uh, starting with you, Chris. miter published the, the attack framework. And, just so people are clear on that Ca- all caps, ATT, Ampersand or, AndSign, I should say. Capital C, capital K looks like attack. That's how you say it. Their framework was created by MITRE. Uh, It's a bit of a game changer. Now, enterprise security teams use that pretty religiously. So, so tell us about that, and tell us what we can expect next from MITRE. >> So thank you David, uh, pleasure to be here. You know, I think that the, um, what made attack resonate with users is it's based on data; It started with data that we observed in our networks and organized around at that time, the emergent principle that Lockheed Martin had put out on the kill chain. Uh, so it gave it structure. And we have, we have been lucky that the community has sort of embraced that concept of what we started off. We got the numbers completely wrong. Uh, we, we started off with like 41 TTPs. And, um, that was because that was based on a small subset of data that we had, uh, and what's been powerful and what's made it truly wonderful as the community's adopted it. And it's, that's, what's it's added to it. It's an additive approach. Um, and but it's all based on data and it's all just a fabulous, um, opportunity for the community to come together. So, what Myers really focused on is understanding how data, and those, uh, problems come together. And then, we surround the ecosystem of that problem with things like language. So we give it a framework and we give it, um, we give it operational data so that it actually has resonance with the users of that community. >> So give me an example, uh, of the language that's used. You know, there are, there are things that are, that are under the heading of tactics as an example. Give me an example of some of those things. What did, what's the term in plain English, and what does it mean? >> So tactics are a way for, um, an adversary to go about taking care of their business. So, in the day, uh, when we were first thinking about this, we thought about it as, um, the old cartoons where you'd have the-the-the coyote and the-the sheep would check in, you know, the coyote was given his lunchbox. He was given it, um, if you think about it, as a, uh, the adversary target list. And he was given his tools, he was, he would open up his toolbox, and he would go after those targets for the day. And he would use those tools. What we realized is that in most cases, a lot of those tools were expensive to create. They were, uh, hard to, um, train up on. And so they tended to use the same basic toolkit over and over again. What changed was, perhaps one little thing that they would exploit that was always changing. And so what, you know, what I likened it to was a burglar. A burglar would show up with his bag of- of, uh, tools. He would have a crowbar, and he would have a flashlight, and he would have a bag. And what he would do is he sometimes choose to go in through the windows. Sometimes they choose to go in through the door. Sometimes he choose to go in through the basement. It didn't matter. But once he got in the house, he had that flashlight, he had that bag, and he had that crowbar, I could figure out through my sensors, what he had in his bag or with, with him, I could catch that. And then I could alert on that, and find the other pieces of that. And so that's what really tactics, um, are about and getting that-that concept boiled down to a language that, uh, cyber defenders could readily understand and put into practice in their businesses. >> So Mohan, tell us about Dtex; And I'm particularly interested in the, in the connection between DTex and what Chris was just talking about; That MITRE has provided us, uh, this language that attack provides us. Um, essentially, you're- You're looking- you're listening for those things that go bump in the night. Chris has given us a language to describe them. Tell- tell us how Dtex fits here. >> Yeah. So, so what we're doing, David, um, and thank you for having me as well, um, what we're doing is we're bringing to the table a whole different type of telemetry, and it's all around human behavior. And, and how we got together with MITRE, um, is actually a direct connection to how we got together with Splunk as well. I'm actually sitting here in Adelaide, in Australia, at the Australian Cyber Collaboration Center. And this is an initiative we put together with the state government of South Australia, and federal government as well, um, to actually bring everybody onto one trusted group. So we could break down the silos and collaborate a hell of a lot better. As we all know, the bad guys collaborate extremely well. You know, they share everything, including their IP and their tactics, and their techniques, everything is shared. And that puts them at an extreme advantage to the good guys, and girls, right? And-and so we have to do a much better job at that collaboration. And-and when we came together and were introduced to MITRE here at the Australian Cyber Collaboration Center, we decided that taking MITREs expertise, and they've got like 15, more than 15 years, worth of dedicated experience around behavioral science, and how it contributes to insider threats and studying that in some depth. Putting that together with the data that we're collecting for our enterprise customers was something that was really, really important, and actually, you know, it was here in the Australian Cyber Collaboration Center that we first kept locked together with Splunk. And Splunk started to identify a problem statement amongst their customers too, That, you know, the data that exists out there for security operations teams just doesn't have that cleanliness and, it doesn't have the context when it comes to human behavior. And that's really what we're bringing to the, to the table here. >> So give me an example of a human behavior that you're looking for, or, you know, so, so Splunk is- Splunk is providing this data that's being gathered from logs. These events are being rolled up and, uh, and-and DTex is analyzing them. Can you give us an example that doesn't educate adversaries of-of behaviors that you look at? >> Yeah, absolutely. And I'll-I'll just touch on it. And then I'll hand over to Chris cause, cause uh, MITRE are truly the experts of this stuff. But- but what I will say is that a lot of organizations, when they think about human behavior and the insider threat, per se, they always think about the malicious actor, right? The, the Snowden type character that's, that's maliciously, and intentionally, trying to get access to take stuff. But it's, it's much more than that. It's, it's also insiders that do negligent things, and it's insider's that are victims of-of their own lack of understanding of things that they're facing. And when outsiders are cleverer, or more technically proficient, they can find ways to-to usurp the insider, and get them to do bad things without them even knowing they're doing it. And so understanding intent, and we call it, at Dtex, we call it, indicators of intent, are really important for us to know. Those indicators are what we've been working with MITRE on for the last year or so; Kind of understanding what the newest, most complicated indicators of intent are. And how do we determine those to be able to know the difference between a malicious insider, versus somebody that's just doing the wrong thing without even knowing about it? I-I don't know, Chris, if-if you wanted to touch on that a little bit. >> Yeah, yeah, yeah Chris, absolutely. You've, you know, uh, Mohan's joining us from Australia, Chris, you and MITRE have done a ton of work with the U.S. Federal Government around detection, and prevention of those insider threats. Talk to us, talk us through that. And, and more specifically, tell us how that is applicable to nongovernmental agencies. >> Yeah, well, so I mean, think at the, at the core of it, human behavior is human cue and behavior. And whether those are being applied to, uh, critical infrastructures, whether they're being applied to working at a federal government organization, or a state, local, uh, government organization, it doesn't matter. Humans, humans have behaviors. Every human has behaviors. What makes them unique, is understanding the context behind those behaviors. And then looking for, uh, indicators that are distinguishable from an individual doing his, or her, job. Right? So, one of the challenges that you have with insider behavior is that, you know, data collection is everyone's job, at every organization, right? You're always trying to put together the numbers for the spreadsheet to-to brief to your boss. Well, when you're doing that data collection, it can look like normal work. And you can't trigger on something like that, because otherwise you're going to be triggering, uh, every individual doing their job every day. So you have to add additional context, and behavioral indicators to that, to understand how the individual is doing that differently in a case where they are up to-up to no good, we'll say, as opposed to under circumstances of doing their job in a regular course of action. So, what we have long held as beliefs about how people behave are actually manifesting themselves differently in online behavior; How fast they click, um, what kinds of tools they use to do legitimate work, versus the kinds of tools that they do-to do, uh, I'll call it elicit collection. Uh, literally those kinds of subtle nuances. So while they might do the same collection activities, how fast they do it, um, where they put that information, um, how they, how often they go back to the same site, those are indicators that when taken with that behavioral context really matter. And that's what distinguishes them from just normal, typical user behavior. >> So how much does that context vary between private entities, governmental entities, and across private entities? Is this the classic 80/20 situation where, you know, 80-80% of it's the same, 20% very different? What, what does that look like? >> Yeah, I would say that, you know, an 80/20 is a very good rule. I'd probably put it up closer to 90 to 95 to five, right? So behaviors work the same. Now, the protocols that organizations have are going to drive some of that, right? So a-a government organization is going to have certain things in place that a private company may or may not. So, you know, how, how locked down the systems are, the kinds of access, um, things that, that you allow. So do you allow USB drives? Do you allow, um, those kinds of-of capabilities in your organization? So, if you're a private sector organization, but even within a private sector organization, they'd run the gamut, right? You have very locked down environments like banks, and regulated industries and then, you have very unregulated industries as well. So it really isn't about government and industry. It's about the kind of, um, protocols that are already in place for other reasons that really drive the differences between that. And then you have, again, you have those additional safeguards that you have, say with a-with a government organization and that you've got, uh, security vetting, right? So you've done security vetting of a lot of your employees, whether even if it's not security clearance, it's a- it's a personnel vetting. And so, it's an additional level, um, but all it does is change the-the emphasis of-of where you place the value in your security mechanisms. >> So, you mentioned a variety of contexts. Mohan, We've had a mass shift to remote working, obviously. Um, Splunk has shared with us that, uh, that the customers are concerned about, you know, giving- giving people visibility without compromising privacy. And I, and I-I say Splunk like Splunk is a person (man laughing) We like to personalize everything here at theCUBE, but how is DTex helping with this challenge, this challenge of not being intrusive, yet, uh, getting the important work done that needs to be done? >> Yeah, that's a, that's a great question. And-and for us, you know, we, as DTex, we kind of grew up in-in Europe, that's kind of where we became an international organization. So, employee privacy is at the heart of everything that we do. And-and, we make privacy by designing into everything that we do. So, we're actually able to, uh, pseudo anonymize every bit of data that we're collecting, so that you're actually really, truly looking for bad behaviors or unusual behaviors. You're not looking for bad people or unusual people, right? Like it's, it's a very clear distinction; and being able to do it in a way that gives you the visibility, gives the organization, the visibility to prevent against risk and to de-risk the organization without infringing on anyone's privacy is, is really critical. And, you know, as Chris was mentioning, even if you go to the private sector, you know, you've got those very regulated banks or healthcare organizations that are typically quite locked down, but we're dealing more and more with, with high-tech companies, right? A lot of bay area firms, Silicon valley companies, which have always required the flexibility for their workforce, right? They want them to be innovative. They want them to do different things. And in order to do that, they need the ability to have any tools they need to get their job done. But in those environments, you can't have too many hard and fast controls. So how do we actually provide that visibility to the organization without infringing privacy? That is absolutely what the game is about. And so, you know, not kind of having to scrape screens, and type key strokes and type video capture, you know, that's the old school way of doing it. You know, in some cases maybe you do need that level of surveillance, but in most cases you absolutely do not. And so, you know, for many, many years, a lot of enterprise security organizations have been collecting way more data than they need to and taking way more intrusive approaches. And we're about backing that off and kind of getting the right balance between security and privacy, because what we truly believe is where you overlap security and privacy, that Venn diagram that you get in the middle is where you get safety. And we really see it as, as an extension of health and safety. >> So Mohan, if we do all of these things correctly, between Splunk, MITRE, and DTex, you get the perfect scenario where you're catching bad actors and you're not inconveniencing good actors. So what's your view of this? Dystopian future, Utopian future, a mix of both? >> Well, uh, look, I think-I think that the future really is, you know, as the title to this discussion is it's a team sport, right? Like, and, and I think the, the approach that Splunk is taking right now is absolutely the right one. Like we, we need to all come together. We can't be everything to everyone. I don't think there is a one size fits all solution in enterprise security today. And those organizations that understand that and recognize that, but neither is it, are we able to continue just kind of investing in hundreds of point solutions across the enterprise and layering them across the business. Like, band-aids, we need that consolidation, but we do need to take best of breed solution providers to, to focus on those integrations and doing it properly. And that's what we've really enjoyed about working with Splunk over the last couple of years is kind of taking a very holistic approach and realizing that we all need to come together to play these teams sport because, you know, we, as detects, we bring together a very clean data set that gives you that human telemetry and then MITRE brings to get brings the behavioral science capability and behavioral science understanding. And Splunk provides that big data platform to bring everything together and show it and visualize it. And, and really that's, that's, that's, that's one way of looking at it. And I, and I think, you know, going forward those vendors or those organizations that don't recognize that that proper integration actual true integration has to be done collectively. And it has to be done in a way that's light and easy for anybody to consume. >> Perfect way to wrap this cube conversation. Thank you, Mohan. Thank you, Chris. And thank all of you for joining us on this cube conversation or continuing coverage of splunk.com 21 continues. I'm Dave Nicholson. Thanks for joining.