>>Live from Las Vegas. That's the Q covering splunk.com 19 brought to you by Splunk. >>You know, kind of leaning on that heavily. Automation, certainly very important. But what does enterprise and what does enterprise security 6.0 bring to the table. So can you take us through the evolution of where you guys are at with, with Splunk, if you want to handle that enterprise security? So yeah, generally enterprise security has traditionally had really, really good use cases for like the external threats that we're talking about. But like you said, it's very difficult to crack the insider threat part. And so we leveraging machine learning toolkit has started to build that into Splunk to make sure that you know, you can protect your data. And, uh, you know, Tyler and I specifically did this because we saw that there was immaturity in the cybersecurity market for insider threat. And so one of the things that we're actually doing in this top, in addition to talking about what we've done, we're actually giving examples of actionable use cases that people can take home and do themselves. >>Like we're giving them an exact sample code of how to find some outliers. They give me an example of what, so the use case that we go over in the talk is a user logs in at a weird time of day outside of their baseline and they exfiltrate a large amount of data in a low and slow fashion. Um, but they're doing this obviously outside of the scope of their normal behavior. So we give some good searches that you can take home and look at how could I make a baseline, how could I establish that there's deviations from that baseline from a statistical standpoint, and identify this in the future and find the needle in the haystack using the machine learning toolkit. And then if I have a sock that I want to send notables to or some sort of some notification to how do we make that happen, how do we make the transition from machine learning toolkit over to enterprise security or however your SOC operates? >>How do you do that? Do you guys write your own code for that? Or you guys use Splunk? So Splunk has a lot of internal tools and there's a couple of things that need to be pointed out of how to make this happen because we're aggregating large amounts of data. We go through a lot of those finer points in the talk, but sending those through to make sure that they're high confidence is the, is the channel you guys are codifying the cross connect from the machine, learning to the other systems. All right, so I've got to ask, this is basically pattern recognition. You want to look at baselining, how do people, can people hide in that baseline data? So like I'll give you, if I'm saying I'm an evil genius, I say, Hey, I knew these guys looking for Romans anomalies in my baseline, so I'm going to go low and slow in my baseline. >>Can you look for that too? Yeah, there are. There absolutely are ways of, fortunately, uh, there's a lot of different people who are doing research in that space on the defensive side. And so there's a ton of use cases to look at and if you aggregate over a long enough period of time, it becomes incredibly hard to hide. And so the baselines that we recommend building generally look at your 90 day or 120 day out. Um, I guess viewpoint. So you really want to be able to measure that. And most insider threat that happen occur within that 30 to 90 day window. And so the research seems to indicate that those timelines will actually work. Now if you were in there and you read all the code and you did all of the work to see how all of the things come through and you really understood the machine learning minded, I'm sure there's absolutely a way to get in if you're that sophisticated. >>But most of the times they just trying to steal stuff and get out or compromise a system. Um, so is there other patterns that you guys have seen in terms of the that are kind of low hanging fruit priorities that people aren't paying attention to and what's the levels of importance to I guess get ahold of or have some sort of mechanism for managing insider threats? I passwords I've seen one but I mean like there's been a lot of recent papers that have come out in lateral movement and privilege escalation. I think it's an area where a lot of people haven't spent enough time doing research. We've looked into models around PowerShell, um, so that we can identify when a user's maliciously executing PowerShell scripts. I think there's stuff that's getting attention now that when it really needs to, but it is a little bit too late. >>Uh, the community is a bit behind the curve on it and see sharks becoming more of a pattern to seeing a lot more C sharp power shells kind of in hunted down kind of crippled or like identified. You can't operate that way, what we're seeing but, but is that an insider and do that. And do insiders come in with the knowledge of doing C sharp? Those are gonna come from the outside. So I mean, what's the sophistic I guess my question is what's the sophistication levels of an insider threat? Depends on the level a, so the cert inside of dread Institute has aggregated about 15,000 different events. And it could be something as simple as a user who goes in with the intent to do something bad. It could be a person who converted from the inside at any level of the enterprise for some reason. >>Or it could be someone who gets, you know, really upset after a bad review. That might be the one person who has access and he's being socially engineered as well as all kinds of different vectors coming in there. And so, you know, in addition to somebody malicious like that, that you know, there's the accidental, you're phishing campaigns here, somebody's important clicks on an email that they think is from somebody else important or something like that. And you know, we're looking fair for that as well. And that's definitely spear fishing's been very successful. That's a hard one to crack. It is. They have that malware and they're looking at, you can say HR data's out of this guy, just got a bad review, good tennis cinema, a resume or a job opening for, and that's got the hidden code built in. We've seen that move many times. >>Yeah, and natural language processing and more importantly, natural language understanding can be used to get a lot of those cases out. If you're ingesting the text of the email data, well you guys are at a very professional high end from Sai C I mean the history of storied history goes way back and a lot of government contracts do. They do a lot of heavy lifting from anywhere from development to running full big time OSS networks. So there's a lot of history there. What does sustain of the yard? What do you guys look at as state of the art right now in security? Given the fact that you have some visibility into some of the bigger contracts relative to endpoint protection or general cyber, what's the current state of the art? What's, what should people be thinking about or what are you guys excited about? What are some of the areas that is state of the art relative to cyber, cyber security around data usage. >>So, I mean, one of the things, and I saw that there were some talks about it, but not natural language processing and sentiment analysis has gotten, has come a long way. It is much easier to understand, you know, or to have machines understand what, what people are trying to say or what they're doing. And especially, for example, if somebody's like web searching history, you know, and you might think of somebody might do a search for how do I hide downloading a file or something like that. And, and that's something that, well, we know immediately as people, but you know, we have, our customer for example, has 1000000001.2 billion events a day. So you know, if the billion, a billion seconds, that's 30 years. Yeah. So like that's, it's, it's a big number. You know, we, we, we hear those numbers thrown around a lot, but it's a big number to put it in perspective. >>So we're getting that a day and so how do we pick out, it's hard to step of that problem. The eight staff, you can't put stamp on that. Most cutting edge papers that have come out recently have been trying to understand the logs. They're having them machine learning to understand the actual logs that are coming in to identify those anomalies. But that's a massive computation problem. It's a huge undertaking to kind of set that up. Uh, so I really have seen a lot of stuff actually at concierge, some of the innovations that they're doing to optimize that because finding the needle in the haystack is obviously difficult. That's the whole challenge. But there's a lot of work that's being done in Splunk to make that happen a lot faster. And there's some work that's being done at the edge. It's not a lot, but the cutting edge is actually logging and looking at every single log that comes in and understanding it and having a robot say, boom, check that one out. >>Yeah. And also the sentiment, it gets better with the data because we all crushed those billions of events. And you can get a, you know, smiley face or that'd be face depending upon what's happening. It could be, Oh this is bad. But this, this comes back down to the data points you mentioned logs is now beyond logs. I've got tracing other, other signals coming in across the networks. So that's not, that's a massive problem. You need automation, you've got to feed the beast by the machines and you got to do it within whatever computation capabilities you have. And I always say it's a moving train hard. The Target's moving all the time. You guys are standing on top of it. Um, what do you guys think of the event? What's the, what's the most important thing happening here@splunk.com this year? I'd love to have both of you guys take away in on that. >>There's a ton of innovation in the machine learning space. All of the pipelines really that I've, I've been working on in the last year are being augmented and improved by the staff. That's developing content in the machine learning and deep learning space that's belongs. So to me that's by far the most important thing. Your, your take on this, um, between the automation. I know in the last year or so, Splunk has just bought a lot of different companies that do a lot of things that now we can, instead of having to build it ourselves or having to go to three or four different people on top to build a complete solution for the federal government or for whoever your customer is, you can, you know, Splunk is becoming more of a one stop shop. And I think just upgrading all of these things to have all the capabilities working together so that, for example, Phantom, Phantom, you know, giving you that orchestration and automation after. >>For example, if we have an EMS notable events saying, Hey, possible insider threat, maybe they automate the first thing of checking, you know, pull immediately pulling those logs and emailing them or putting them in front of the SOC analyst immediately. So that in, in addition to, Hey, you need to check this person out, it's, you need to check this person out here is the first five pages of what you need to look at. Oh, talking about the impact of that because without that soar feature. Okay. The automation orchestration piece of it, security, orchestration and automation piece of it without where are you know, speed. What's the impact? What's the alternative? Yes. So when we're, right now, when we're giving information to our EES or analysts through yes, they look at it and then they have to click five, six, seven times to get up the tabs that they need to make it done. >>And if we can have those tabs pre populated or just have them, you know, either one click or just come up on their screen for once they open it up. I mean their time is important. Especially when we're talking about an insider threat whom might turn to, yeah, the alternative is five X increase in timespan by the SOC analyst and no one wants that. They want to be called vented with the data ready to go. Ready, alert on it. All right, so final few guys are awesome insights. Walking data upsets right here. Love the inside. Love the love the insights. So final question for the folks watching that are Splunk customers who are not as on the cutting edge, as you guys pioneering this field, what advice would you give them? Like if you had to, you know, shake your friend egg, you know, get off your button, do this, do that. What is the, what do people need to pay attention to that's super urgent that you would implore on them? What would you, what would your advice be once you start that one? >>One of the things that I would actually say is, you know, we can code really cool things. We can do really cool things, but one of the most important things that he and I do as part of our processes before we go to the machine and code, the really cool things. We sometimes just step back and talk for a half an hour talk for an hour of, Hey, what are you thinking about? Hey, what is a thing that you know or what are we reading? What and what are we? And you know, formulating a plan because instead of just jumping into it, if you formulate a plan, then you can come up with you know, better things and augmented and implemented versus a smash and grab on the other side of just, all right, here's the thing, let's let's dump it in there. So you're saying is just for you jump in the data pool and start swimming around, take a step back, collaborate with your peers or get some kind of a game thinking plan. >>We spent a lot of hours, white boarding, but I would to to add to that, it's augment that we spent a lot of time reading the scientific research that's being done by a lot of the teams that are out solving these types of problems. And sometimes they come back and say, Hey, we tried this solution and it didn't work. But you can learn from those failures just like you can learn from the successes. So I recommend getting out and reading. There's a ton of literature in that space around cyber. So always be moving. Always be learning. Always be collaborating. Yeah, it's moving training guys, thanks for the insights Epic session here. Thanks for coming on and sharing your knowledge on the cube, the cube. We're already one big data source here for you. All the knowledge here at.com our seventh year, their 10th year is the cubes coverage. I'm John furry with back after this short break.

>> Announcer: Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2017. Presented by AWS, Intel, and our ecosystem of partners. >> Hello and welcome to day three of exclusive CUBE coverage here at Las Vegas for live coverage of AWS re:Invent 2017. This is theCUBE's fifth year covering AWS re:Invent, and what a transformation it's been. Rocket ship growth. They got the tiger by the tail Full speed ahead. They're not looking in the rearview mirror. This is the mojo of Amazon Web Services. They're kicking ass and taking names, as we say here in theCUBE. But really, they're changing the game. A lot of game changing announcements, architectural rehab for engineering. Reimagining the future is really what they want, and they're trying to be everything to everyone. And, of course, that's always hard to do. I'm John Furrier with Stu Miniman on our kick off of day three. Breaking down Werner Vogel's keynote as well as kind of a review of what's been going on for the past few days. There is a lot of signal here. There's almost a noise around the signal meaning there is so much good content that it's really hard to get a hold of Stu. Great to kick it off day three. Rested. Didn't go out late last night. Went to bed by 10. I know you stayed out to three in the morning, but... >> Hoping my voice can hold out for another day in Vegas. John, good to see you, and I'm really excited. 3,951 announcements since the first re:Invent. We're going to go through every one of them. No, no, no. Werner Vogel. It was interesting because he's like, Oh, we've been told ahead of time, it's not going to be announcement heavy. Of course, there's some really awesome announcements. I hate we sound like fanboys sometimes, but you know, Alexa for business, the serverless marketplace. Some really good segments from Netflix, they were just talking about iRobot. Somebody who I had on theCUBE earlier this year. But Werner really kind of stepping back. Some people are like, what is this, a kinda computer science 101? But no, here's how you architect the future. Here's how Amazon's going to fit everything from how voice is going to be a major interface to a theme that I've really liked we've been covering for a number of years. The digital future is not robots taking over the world, but how do I take people and technology, put them together to really create that explosive future? 'Cause even the things like machine learning, the things that I've been talking to the people who are really in this environment is how are we going to train the people that are gonna put these things together? It's not just something that runs off by itself. >> And we had Sanjay Poonen who is the CEO, COO of VM Ware. Not CEO, that's Pat Gelsinger. But he kind of pointed out something that I wanna bring up here, which is Andy Jassy and the team at Amazon are highly competent, and they're executing. But, Stu, they're not just executing on the technical prowess, they're kicking ass on the technology. Certainly, I want to have a longer conversation with you about that. But they're really hitting some real high notes on societal change. So, if you look at what Amazon enables both at the startup level and the business transformation, even in the public sector with Teresa Carlson, who we'll have on later, they're enabling a new way to reimagine how to solve problems that never could be solved before. Two, they're kind of on the right vectors, and it's causing some competitive ripples. Just today in the news, you can see stories out there in the Wall Street Journal and other places where Apple is part of Stamford University to solve heart disease with the iWatch. Google's folding nest back into the hardware division as pressure because their playbook's not working because Amazon's kicking their ass on Alexa and you got Siri. So, Google's fumbling on that point. They're trying to figure it out. So, you're seeing the forces start to line up in this new era of competing on value, competing on software, competing on community and open source. Amazon has the right formula. If they keep this up, Microsoft and Google will not be able to catch them. And that is so obvious. So, until Amazon makes a misfire, which they have not yet, they experiment, but their solid track record, we're gonna call it as we see it. But calling balls and strikes right now on the cloud game, there is not even a close second place. >> Yes, so John, I've been searching for a word. We used to talk about a platform that you built or the marketplace or the ecosystem that we have around here. Amazon is enabling new things. The new AWS marketplace enabling anyone really to go in there, really could do for cloud and technology what Amazon.com helped do for retail and business. You know, I say, look, not every single one of the features that Amazon had is leaps and bounds ahead of what a Google or Microsoft has. I know you've done lots of reporting on the machine learning and everything happening, even Facebook and the like, going in there. But Amazon absolutely is in a class by itself and it's still, in our fifth year coming here, they impress and they continue to keep us-- >> Stu, let's dissect the competition. Let's lay it all out. To me, the top three are no doubt Amazon and then, way distance second place, Microsoft, and then, third on technology and then kind of, clustered like a bunch of Nascar clusters all trying to figure out what to do, is Oracle, IBM, and everybody else. >> Hold on, you didn't mention Google. You didn't mention Alibaba. >> I mean, sorry, Google would be third, Alibaba would be fourth. But their US presence, they're number four by sheer China volume, but Amazon's business in China's growing. They just cut a deal with China so we're gonna see that play out, we'll see. But Alibaba is a force to be reckoned with, as well as Tencent and Baidu and all those other platforms. But here's the deal, you can't be a pure play anymore. Look at Google, the search engine business, they're milking that cow dry, but the thing is that the business is shifting. So, I think Google, of all the competitors, probably has the best chance to accelerate because I think innovation has to be at the heart of that accelerated leadership position. Two, culture. The culture of solving not just tech problems, Stu. And this is where Amazon, no one's really unpacked this, is that if you look at Intel, for instance, they always have great tech, and they always do good things. Amazon is kind of doing the same thing. They're solving societal problems, but they're kicking ass on the business front. Google has that DNA. It's just not organized into the machinery. >> Yeah, I mean, John, we know Google has amazing technology, really good talent. We think Google spanner, oh my God, that's amazing. The thing we say is there's things that Google comes out with, and it's like, Wow, this is really cool. I really need to think about a while how can I do it. As opposed to most of the announcements you hear. In the sessions, people are like, Oh my God, I can't believe Amazon did this. I can immediately take this. I can change the way I'm doing something. I can increase my Codility. I can make my, how I just do my entire business different, better. >> Yeah, and so, Stu, I bring up the Alibaba comment. I wanna bring that back in because one of the things that Amazon's doing that Alibaba is kinda copying, I won't say copying, but emulating, is this notion of craftsmanship. If you look at the past 10 years the programmer culture, the Y Combinator, the Agile, lean, start-up kind of mindset, you look at a loss in craft in software development. Software development used to be a craft. You build software. We had to keep alumni benched from Apple, I talked about, you build a shrink-wrapped product, you ship it, you QA it, you ship it, but you don't know it's going to run. But in the Agile, you're shipping, you're shipping, and shipping, it kind of takes the craft and the artisan out of it. Yeah, US could be cool. But I think now you're going to start to see a swing-back, and whoever, whichever cloud can bring that artisan kind of craft, and blend the open source kind of community model, to me, will be the winning formula. Because that will change the game on these new use cases, the new user expectations, the new user experiences. >> And John, that's exactly what Werner was talking about in his keynote, is this is how we're architecting into the future, you know, everybody needs to be thinking about security. One of the critiques I saw is like, oh, well, you need to think about, you know, everything up and down the stack. It's like, you know, everybody needs to be the unicorn full-stack developer, you know, understand security, be on top of serverless, do all this, well, look, that's asking a lot as to, you know, not everybody's going to be able to do everything. Amazon might be everything is everything, but, you know, we need to be able to understand, you know, how do we take the vast majority of enterprises out there and move them along? I love, Keith Townsend and I did an interview with Chris Wolf from VMware, here at the show, and Keith said, you know, VMware used to move, you know, the speed of the CIO. Amazon's moving way faster than the CIO, you know, how do we help the enterprises move faster, and it's tough. I've talked, every customer I talk to is -- >> Well, we heard, we heard, we heard Intel saying they're moving faster than Intel. So, I mean, Intel has to get in these reference architectures, so, with FPGNAs and these new technologies, they have to accelerate and keep pace. But I think the Werner Vogels keynote here is kind of historic, and you brought this up before we came on, was that he was not going to do a lot of announcements. Although he did launch Alexa for business, and the Lambda Service is all in on that area, he kind of did a throwback to five years ago, or six years ago when he did his first keynote here, when he talked about the new architecture and reimagining it. But he took a modern version of what he was talking about then, and I think that highlights the Amazon greatness, but also their challenge. The one thing I'd be critical of Amazon is, well, two things, one is, I mentioned yesterday, Andy Jassy shouldn't be putting Gardener slides in a new guard presentation, because they're old guard. But that's one thing. What they're doing with the sales motion, it's hard. They have to convince customers and show them the new way. So what Werner painted the picture of is this is how we're thinking. This is how you should be thinking with customers. You have to reimagine what was traditional architecture, and think about it in a completely different way, which will change ultimately software methodologies, the life cycle of Agile, and hopefully bring in some, you know, value-oriented craftsmanship and artisan. >> Yeah, John, you know, this reminds me of many of the waves that we've seen throughout our careers. The customers, when they get in this ecosystem and they really start using it, they get religion. And, you know, number one advice I hear from a lot of the companies I talk to say, talking to your peers, what would you say? Say, get on it faster, and really just dive in. It's like, yeah, yeah, you start with one application. But get off the old stuff as fast as you can. Get on this, because there's, when you have access to all of these services, it just transforms your business. You can get, you know, these changes in these services, into more pieces of the organization, you know, John, we haven't brought up, you know, does IT matter? What's the role of IT in this versus the business lines and the developers? IT radically changing. Amazon looking to change that model. >> They are. I mean, there's no doubt. This show is kind of the final exclamation point on the fact that not only was it a collision course, it has absolutely happened. IT and Amazon have come together in a massive collision, and there's going to be carnage, too. There's going to be people, Lying on the side of the road. >> So, question for you. I've heard there's some people that like, this is the industry's biggest infrastructure show. And I'm an infrastructure guy by background, but I take, I don't think, this is not an infrastructure show. This is, you know, really about business. You know, absolutely, there's technology. Somebody I love, they said, you know, CES, this is now EES. This is the enterprise version of what's happening in technology. >> Well, I mean, we're going to have Teresa Carlson on. It's, you know, it's all digital, right, I mean, it's a digital culture, because their public sector business is booming. It's not just the enterprise. They nailed the start-up. They nailed the ElastiCLOUD, check. Tom Siebel pointed it out yesterday. And what they're nailing now with IT is they're becoming the lever, the catalyst for IT transformation at price points and functionality never seen before, and it's mind-boggling. Google's gotta re-organize, because they can't compete with Alexa. Alright, so things of that nature. So then you have the public sector, your government, and then global, regional, China, Europe, huge issues. So they're winning. And to me, this is a huge new thing. And why rant on the Gardener slide that Jessy puts up is, Amazon is the new guard, and they're putting up old guard metrics. So Stu, this is not an infrastructure as a service magic quadrant, so, the question we share, is what are the new guard metrics? My opinion, no one's developed it yet. So how would you define a modern metric for who's winning and who's losing? Because if you say number of customers, Oracle has a lot of customers, IBM's got a lot of customers. >> So John, Amazon's leading the vanguard in helping customers through digital transformation. I don't know how to measure that yet, but absolutely they're the ones that are doing this. It's not a product-centric. It's about the mindset and how we build things. I've really loved this week talking about, you know, how real is serverless? And like, well, really, Lambda's getting embedded everywhere. It's not about, you know, a product, and oh, hey, you're only going to pay for it by the microsecond, and it's 90% cheaper, no, no, no. It's about the triggers and the APIs and just integrating into the way I can build things faster, you know, yes, I can really get benefit out of microservices. That serverless application repository that Werner talked about, I mean, it's, we got really excited when we got for containers, like the Docker Hub, we had in virtualization, we had the same way, we could get kind of standard images out there. Serverless application repository's going to do the same thing for serverless. You know, is there a lock-in from AWS Lambda, how much is there going to be standards that come in? The CNCF next week is going to be digging into those. >> Is there a cost reduction? Or is it a cost increase? These are questions. >> Yeah. >> Alright, so final question for you. I know we've gotta move on to our full day here, but Stu, you, you know, you study it, you do the hallway conversations, you're at all the influencer events, how do you connect the dots between Andy Jassy's keynote and Werner's, where is the dots connecting? What is jumping out at you? Obviously Lambda, but what are the highlights, from your perspective, that you see just jumping out that Amazon's connecting and trying to present? >> Yeah, so, we always used to say it was like, you know, okay, is day one developer and day two enterprise? We're starting to see those lines blur. As the enterprise, we are still early in kind of the massive adoption there, but that's where it's coming together. There's, you know, lots of excitement, but, you know, as we talked about the continuum, now we had bare metal, we have instances, we have containers, we have serverless. And the enterprise is starting throughout that. I know there's a Sumo Logic report you've been quoting, and we've been-- >> And it came on yesterday. >> Absolutely. So good data there. New Relic had some good reports digging into this. So the wave, change is happening faster than ever. And, you know, Amazon is the lead horse driving this change throughout the industry. >> And don't forget Intel. Intel's just minding their business just watching all these compute requests come in. I mean, as more compute comes out, Intel just is a rising tide, and you know, they're a big boat in the harbor there. >> Absolutely. >> Alright, I'm John Furrier and Stu Miniman breaking down day three of theCUBE, day three here we've actually started on Sunday night at midnight. A lot of great action, a lot of great analysis, of course, check out our new Twitch channel, so, twitch.tv/siliconangle, twitch.tv/thecube, two new channels, or one rebooted channel, one new channel. And of course thecube.net. We're on Ustream, we're on YouTube. But check out our Twitch and join our community if you're a gamer. Back with more live coverage here, live in Las Vegas, for AWS re:Invent after the short break.