>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Hey, welcome back everybody. Jeff, Rick here with the cube. We're at the RSA conference in downtown San Francisco at Moscone. It's the fourth day of the show, 40,000 some odd people here. It's all about security. It's the biggest security show in the world despite the fact that there were some challenges with the coronavirus this year and you know, people were kind of wondering how that was going to shake out. There's been a lot of kind of weird stuff going on in the conference scene, but a lot of people got here, a lot of conversations around security and we're really happy to have really a seasoned vet. He's been through this cycle of security a couple of times that you said he's done four different startups. We're happy to have him as all of our Fredericks, the VP security product. That's blown. Good to see all of her. >>Thank you. Great to be here. Absolutely. So let's take a step back. You've been coming to this show for a little while. What's kind of your, your impression of the show? Well, it's really interesting this year, you know, I think it's a, I'd say the energy level is somewhat flat and I think it's a sign of our industry maturing and getting to the point where, you know, you used to see, uh, some pretty big disruption every few years when compute changes the threats or attack surface moves and the threats change with it. But things have been relatively stable. You know, the cloud is really the biggest, most recent, uh, innovation. And so there really hasn't been, I think any massive disruption in our industry for a little bit, but a lot of just continuous iteration and improvement on existing technologies. Right? There's some big ones coming down the pike though, right? >>One of the big ones that's going to have a huge impact is five G and IOT. Uh, suddenly now that you know these things, people think five GC can talk to your mom faster on the phone. That's not what it's about at all, right? It's a speed of machines and the speed in which these transactions are going to be happening. Not to mention all those connected devices, all those new attack surfaces, very, very revolutionary. And yet the theme here is the human elements. So when you think about speed of machines and, and increasing, uh, the kind of frequency of bot attacks, this and that, and yet there's still people that gotta be on the hook and responsible for this stuff. How do you think about it and has you actually use things like AI to help the people fight the machines? Yeah, I know it's a really good question. >>So typically over the years, right, attackers have targeted compute, uh, operating systems, applications, servers, and so on. But we've, we've done a really good job of starting to lock those down, finding those vulnerabilities, patching them, fixing them, you know, that's, it's not a panel, it's, it hasn't been solved, right? That's, it's an ongoing issue. But attackers have moved onto the weakest link, which is people, right? If I can convince you to send me your, you know, your bank account information or that access to your account and wire money out of your account, right? It's a lot easier than having to find a vulnerability in Microsoft windows these days, which used to be pretty easy back 20 years ago. Used to, they're there, they're by the dozens. Right. But, but now they're getting better on the fishing too. And now spear fishing. Right. I, I had a friend in commercial real estate who, who told me this email that he got like from his banker, you know, talking about a transaction with a business associate using vocabulary words that that would normally be used in their exchange to the point where he called the guy and said, did you send this to me? >>Um, so you know, the, the, the, the bad English bad grammar and, and kind of funky word selection isn't necessarily that red flag that it used to be that don't click on here and we're still getting, you know, this, this attacking is happening. So how do, how do people get more sophisticated in light of kind of these more sophisticated attacks on the people? >>Yeah, so I think there's two things. One is, you know, it hidden in there is, and that type of an attack is typically wire instructions, right? If it's, if I'm buying a house, my escrow company or title company is going to send me wire instructions to send the money for the down payment on that house for example. You know, that's, that's been a very, very common attack where, you know, title companies may not be the most sophisticated, like many of the organizations that are here today. Uh, so definitely fall victims. So that's, that's definitely a growing problem and a growing attack surface. We also see, uh, you know, the need for new technologies like natural language understanding, actually understanding the context of the data. Uh, for example, what's the intent behind it? What's the meaning? Sure, it's not going to be misspelled. But can I find other relevant factors or attributes of that email that, uh, point out at red flag or something that I need to be concerned about before I actually click on it or open it or, or act on it? >>Right. So the company that you, uh, led before spunk acquired you, Phantom, you talked a lot about they're trying to help, help to see Sox do a better job, help them kind of filter, filter what they don't need to respond to, prioritize what they need to respond to and then respond quicker when they do. That's right. A little bit more about how that works and what's kind of the impact of having that technology on the front line. >>Yeah, so five years ago, automation and security really didn't exist. Uh, we created a new category called soar security, orchestration, automation and response. And, uh, it's a technology that allows you to automate what a SOC analyst would typically do by hand. So typically, you know, if an analyst is looking at an event, uh, it would take them 10 minutes, best best-case, 11 hours, worst-case, to analyze that and do all the work that they need to do to triage it. By automating, we're able to reduce that down to a best case of one second, worst case of 10 minutes using automated playbooks. So we're able to get a, uh, a massive performance improvement by automating, by creating a playbook of those rout routine things that an analyst would do by hand. And that frees up the analyst to do more proactive, higher order activities, things that actually require the human thought versus the repetitive work which we're very happy about. >>And are most of those types of, of of uh, processes that you automated? Just check, just to get, you know, kind of checking boxes if you will, almost like a pre-flight to make sure that you kind of have the simple things covered or you know, what are some of the activities that you've been able to automate? >>Yeah, so it's interesting these, these platforms have become very flexible and multipurpose. So today we integrate with over 300 different security vendors that are on the showroom floor here today to let you automate in those products. So the typical large enterprise has maybe 60 70 security products that they're all managing from a browser tab or a different login. What soar platforms do is they tie those together and allow you to manage those products very rapidly. In the case of an event. So for example, you know, if I have a, a, a phishing email, I can take the attachment detonated in a sandbox from any of the sandbox vendors here on the showroom floor. Look it up in my reputation service like my virus total reversing labs for example, look it up on my EDR product on the endpoint to see do any of my endpoints actually have this file. And then I could take remediate, remediate of action and actually block the user, take the endpoint off the network using a Nack product that's here, uh, and so on, or block it on the firewall. So there's many different types of scenarios. >>It's that whole chain that you just described potentially would be something that you build into this playbook and have that happen automatically. Yes. Oh, that's a huge time saver. Huge time saver. So as you look forward, kind of at the power of AI, right? It's good news, bad news, right? Good news. You're going to have a lot more horsepower and computational wizardry at your fingertips. Bad news is the bad guys are also going to have a lot more computational power and wizardry at the end of their fingertips. So how do you, you know, kind of see the battle continuing to play out? Where do you really see great opportunities with, with this evolving AI to do things that you just couldn't do before? >>Yeah, look, I at attackers have been using automation and AI against us for, for many years now. So we're just starting to catch up and use it effectively to defend ourselves. Uh, you know, it'll be very interesting to see where this goes. I don't know if I can predict, but imagine machines fighting machines just like in real life and robotics and so on. In real physical kinetic warfare. Imagine the same thing happening in cyber here is entirely conceivable, but I don't think we're quite there yet. I mean, we obviously see botnets and other automated attacks that are already very rampant and then automated countermeasures that are there as well. So it'd be very interesting to even have, you know, maybe one year here we'll have uh, you know, robot Wars for cyber and have, you know, technologies battle each other to see who your >>wins. But what's crazy is as much as the bots are fighting the bots, you know, we have, uh, people in like Rachel tow back, we fed on a couple of times. She's, she does social hacking and uh, and she's basically a hundred percent, uh, successful in just calling people on the phone and giving them to provide her the details. So it still is going to keep the people in the loop. We're still going to have to, you know, make sure that they're not the weakest link. Absolutely. Yeah. All right, good. So final thoughts as you ahead into 20, 20 the year, we're going to know everything with the benefit of hindsight. Well, look, I think one thing we're seeing, there's so many vendors here, uh, things are coming together. Again, our customers are looking to consolidate, they're looking to reduce. And one thing that we're very heavily focused on at Splunk is creating a single work surface for analysts. So they don't have to deal with dozens of different consoles. Right. We're very, very focused on that. Working 70 tabs to work process is not a, not very efficient. So ideal. No. All right. All over. Well, thanks for, uh, for taking a few minutes to stop and buy and a continued success for you and Splunk. Thank you. Alrighty. He's all around. Jeff, you're watching the cube. We're an RSA 2020 and downtown San Francisco. Thanks for watching. See you next time.

>>live from Las Vegas. It's the Cube covering Splunk dot com. 19. Brought to You by spunk >>Hey, welcome back. Everyone's two cubes coverage here in Las Vegas for spunk dot com. 19 dot com 19. This is slugs. 10th year doing dot Com Cube seventh year of coverage. We've watched the progression have security data market log files. Getting the data data exhaust turned into gold nuggets now is the centerpiece of data security, data protection and a variety of other great things and important things going on. And we're here to great guests from slug i n songs. Vice president and general manager of security markets and Friedrichs, a VP of security automation. Guys, great to see you again. We just saw you and there's reinforce. Thanks for coming back. >>Thank you for having us. >>So you guys announced security operation Sweet last year. Okay, now it's being discussed here. What's the update? What our customers doing? How are they embracing the security piece of it? >>Wow. Well, it's being a very busy year for us. Way really updated the entire suite. More innovation going in. Yes, six. Tato got announce and phantom and you be a every product is getting some major enhancement for concealing scale. For example, years now way have customers running in the cloud like 15 terabytes, and that's like three X and from It's like 50 terrifies 50 with Search has classes. So that's one example and fend him throughout the years is just lots of capabilities. We're adding a case. Management was a major theme, and that's actually the release before the current one. So we'll be, really, you know, 80 and focusing on that just to summarize sort of sweet right. You be a continue to be machine learning driven, and there's a lot of maturity that's that's going into the product, and there's a lot of more scale and backup. Restore was like one of the major features, because become more mission critical. But what's really, really, really exciting? It's how we're using a new product called Mission Control to bring everything all together. >>I want to get into the Mission control because I love that announcement. Just love The name was behind it, but staying on the sweet when they're talking about it's a portfolio. One of the things that's been consistent every year at dot com of our coverage and reporting has been wth e evolution of a platform on enabling platform. So has that evolves? What does the guiding principles remain? The same. How you guys sing because now you're shipping it. It's available. It's not just a point. Product is a portfolio and an ecosystem falling behind it. You know the APP, showcase, developer, Security and Compliance Foundation and platforms on Just I T ops and A I ops are having. So you have a variety of things coming out of for what's the guiding principle these days is continuing to push the security. You share the vision >>guiding principle and division. It's really way believe the world. As we digitize more as everything's happening, machines speed as people really need to go to analytics to bring insides into things and bring data into doing that's that's really turning that into doing so. It's the security nerve center vision that continue guide what we do, and we believe Security nerve center needs really data analytics and operations to come together and again, I'm gonna tell you, Mission Control is one of the first examples that we bring all of the entire stack together and you talk about ecosystem. It takes a village is a team sport. And I'm so excited to see everybody here. And we've done a lot of integrations as part of sweets to continue to mature more than 1900 AP I integrations more than 300 APS. Justice Phantom alone. That's a lot of automated actions. People can take >>the response from the people in the hallways and also the interviews have been very positive. I gotta get to Mission Control. Phantom was a huge success. You're a big part of building taking that into the world now. Part was flung. Mission Control. Love the name Mission Control. This is the headline, by the way, Splunk Mission Control takes off super sharp itching security operations. So I think Mission Control, I think NASA launching rockets Space X Really new innovation. Really big story behind his unification. You share where this came from, what it is what's in the announcement? >>Yeah. So this is all about optimizing how sock analysts actually work. So if you think about it, a sock typically is made up of literally a dozen different products and technologies that are all different consuls, different vendors, different tabs in your Web browser, so it for an analyst to do their job literally pivoting between all of these consoles. We call it swivel chair syndrome, like you're literally are frantically moving between different products. Mission Control ties those together, and we started by tying slugs products together. So we allow you to take our sin, which is enterprise security, or you be a product's monkey. Be a and phantom, which is our automation and orchestration platformer sore platform and manage them and integrate them into one single presentation layer to be able to provide that unified sock experience for the analyst So it it's an industry first, but it also boosts productivity. Leading analysts do their job more effectively to reduce the time it takes. So now you're able to both automate, investigate and detect in one unified presentation, layer or work surface. >>You know, the name evokes, you know, dashboards, NASA. But what that really was wasn't an accumulation, an extraction of data into service air, where people who were analysts do their job and managed launching rockets. But I want to ask you a question. Because of this, all is based on the underpinnings of massive amounts of volume of data and the old expression Rising tide floats all boats also is rising tide floats, Maur adversaries ransomware attacks is data attacks are everywhere. But also there's value in that data. So as the data volume grows, this is a big deal. How does mission Control help me manage to take advantage of that all you How do you guys see that playing out? >>Yes, Emission control really optimizes the time it takes to resolving incident. Ultimately, because you're able to now orient all of your investigation around a single notable event eso It provides a kn optimal work surface where an analyst can see the event interrogated, investigated triage, they can collaborate with others. So if I want to pull you into my investigation, we can use a chat ops that capability, whether it's directly in mission control or slack integration waken manage a case like you would with a normal case management toe be ableto drive your incident to closure, leveraging a case template. So if I want to pull in crisis communications team my legal team, my external forensics team, and help them work together as well. Case management lets me do that in triage that event. It also does something really powerful. High end mentioned. The operations layer the analytics in the data layer. Mission Control ties together the operational layer where you and I are doing work to the data layer underneath. So we're able to now run worries directly from our operational layer into the data layer like SPL quarries, which spunk is built on from the cloud where Mission Control is delivered from two on premise Face Plunk installations So you could have Michigan still running in the Cloud Splunk running on premise, and you could have multiple Splunk on premise installs. You could have won in one city, another one in another city or even another country. You could have a Splunk instance in the Cloud, and Mission Control will connect all of those tying them together for investigative purposes. So it's very powerful. >>That's a first huge, powerful when this comes back to the the new branding data to everywhere, and I see the themes everywhere, the new colors, new brake congratulations. But it's about things. What do ours doing stuff, thinking and making things happen. Connecting these layers not easy, okay? And diverse data is hard. Thio get access to, but diverse data creates great machine learning. Ay, ay, ay, ay, ay creates great business value. So way see a flywheel development and you guys got going on here. Can you elaborate on that? Dated everywhere And why this connective tissue that you're talking about is so important? Is it access to the war data? Is that flywheel happening? How do you see that playing out? >>I'll start with that because they were so excited where data to everything company or new tagline is turning data into doing. And this wouldn't be possible without technologies like Phantom coming in right way have traditionally been doing really great with enterprise was data platforms. And with an Alex now was phantom. We can turn that into doing now with some of the new solutions around data stream processing. Now we're able to do a lot of things in real time. On you mentioned about the scale, right scales changes everything. So for us, I think we're uniquely positioned in this new age of data, and it's exploding. But we have the technology to help your payment, and it's representing your business way. Have the analytics to help you understand the insights, and it's really the ones gonna impact day today enabling your business. And we have two engine to help you take actions. That's the exciting part. >>Is that what this flywheel, because diverse data is sounds great, makes sense more data way, see better? The machines can respond, and hopefully there's no blind spots that creates good eye. That kind of knows that if they're in data, but customers may not have the ability to do that. I think that's where the connecting these platforms together is important, because if you guys could bring on the data, it could be ugly data on his Chuck's data data, data, data. But it's not always in the form you need. Things has always been a challenge in the industry. How do you see that Flywheel? Yeah, developing. >>Yeah, I think one of the challenges is the normalization of the data. How do you normalize it across vendors or devices, you know. So if I have firewalls from Cisco, Palo Alto Checkpoint Jennifer alive, that day is not the same. But a lot of it is firewall blocked data, for example, that I want to feed into my SIM or my data platform and analyze similarly across endpoint vendors. You know you have semantic McAfee crowdstrike in all of these >>vendors, so normalization >>is really key and normalizing that data effectively so that you can look me in at the entire environment as a single from a single pane of glass. Essentially, that's response does really well is both our scheme on reed ability to be able to quarry that data without having a scheme in place. But then also, the normalization of that data eyes really key. And then it comes down to writing the correlation searches our analytics stories to find the attacks in that data. Next, right. And that's where we provide E s content updates, for example, that provide out of the box examples on how to look for threats in that data. >>So I'm gonna get you guys reaction to some observations that we've made on the Q. In the spirit of our cube observe ability we talked to people are CEOs is si sos about how they cloud security from collecting laws and workloads, tracking cloud APS and on premise infrastructure. And we ask them who's protecting this? Who is your go to security vendors? It was interesting because Cloud was in their cloud is number one if it's cloud are not number one, but they used to clear rely on tools in the cloud. But then, when asked on premise, Who's the number one? Splunk clearly comes up and pretty much every conversation. Xanatos. Not a scientific survey, it's more of it handpicks. But that means it's funk is essentially the number one provider with customers in terms of managing those workloads logs across ABS. But the cloud is now a new equation because now you've got Amazon, Azur and Google all upping their game on cloud security. You guys partner with it? So how do you guys see that? How do you talk cutters? Because with an enabling platform and you guys are offering you're enabling applications. Clouds have Apple case. So how do you guys tell that story with customers? Is your number one right now? How do you thread that needle into this explosive data in the cloud data on premise. What's the story? >>So I wish you were part of our security super session. We actually spent a lot of energy talking about how the cloud is shifting the paradigm paradigm of how software gets billed, deployed and consumed. How security needs to really sort of rethink where we start, right? We need to shift left. We need to make sure that I think you use the word observe ability, right? T you got to start from there. That's why as a company we bought, you know, signal effects and all the others. So the story for us is start from our ability to work with all the partners. You know, they're all like great partners of ours AWS and G, C, P and Microsoft. In many ways, because ecosystem for cloud it's important. We're taking cloud data. We're building cloud security models. Actually, a research team just released that today. Check that out and we'll be working with customers and building more and more use cases. Way also spend a lot of time with her. See, So customer advisory council just happened yesterday talking about how they would like us to help them, and part of that they were super super excited. The other part is what we didn't understand how complicated this is. So I think the story have to start in the cloudy world. You've gotto do security by design. You gotta think about automation because automation is everywhere. How deployment happens. I think we're really sit in a very interesting intersection off that we bring the cloud and on prime together >>the mission, See says, I want to get cameras in that room. I'm sure they don't want any cameras in the sea. So room Oliver taking that to the next level. It's a complexity is not necessarily a bad thing, because software contract away complexity is from the history of the computer industry that that's where innovation could happen, taking away complexity. How do you see that? Because Cloud is a benefit, it shouldn't be a hindrance. So you guys were right in the middle of this big wave. What? You're taking all this? >>Yeah. Look, I think Cloud is inevitable. I would say all of our customers in some form or another, are moving to the cloud, so our goal is to be not only deliver solutions from the cloud, but to protect them when they're in the cloud. So being able to work with cloud data source types, whether it's a jury, w s, G, C P and so on, is essential across our entire portfolio, whether it's enterprise security but also phantom. You know, one exciting announcement that we made today is we're open sourcing 300 phantom maps and making making him available with the Apache to get a license on get hubs so you'll be able to take integrations for Cloud Service is, like many eight of US service is, for example, extend them, share them in the community, and it allows our customers to leverage that ecosystem to be able to benefit from each other. So cloud is something that we work with not only from detection getting data in, but then also taking action on the cloud to be. Will it protect yourself? Whether it's you, I want to suspend an Amazon on your instance right to be able to stop it when it's when it's infected. For example, right those air it's finishing that whole Oodle Ooh and the investigate monitor, analyze act cycle for the cloud as we do with on from it. >>I think you guys in a really good position again citizen 2013. But I think my adjustment today would be talking to Andy Jackson, CEO of AWS. He and I always talk all the time around question he gets every year. Is Amazon going to kill the ecosystem? Runs afraid Amazon, he says. John. No, we rely on third party. Our ecosystem is super important. And I think as on premises and hybrid cloud becomes so critical. And certainly the Io ti equations with industrial really makes you guys really in a good position. So I think Amazon would agree. Having third party if you wanna call it that. I mean, a supplier is a critical linchpin today that needs to be scalable, >>and we need equal system for security way. You know, you one of the things I shared is really an asymmetric warfare. Where's the anniversary? You talk about a I and machine learning data at the end of the day is the oxygen for really powering that arm race. And for us, if we don't collaborate as ecosystem, we're not gonna have a apprehend because the other site has always say there's no regulations. There's no lawyers they can share. They can do whatever. So I think as a call to action for our industry way, gotta work together. Way got to really sort of share and events or industry together. >>Congratulations on all the new shipping General availability of E s six point. Oh, Phantoms continue to be a great success. You guys on the open source got an APB out there? You got Mission Control. Guys, keep on evolving Splunk platform. You got ABS showcase here. Good stuff. >>Beginning of the new date. Excited. >>We're riding the waves together with Splunk. Been there from day one, actually 30 year in but their 10th year dot com our seventh year covering Splunk. I'm John Ferrier. Thanks for watching. We'll be back with more live coverage. Three days of cube coverage here in Las Vegas. We'll be right back.

>> Live from Boston, Massachusetts. It's theCube. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone. Welcome back to the live Cube coverage here in Boston, Massachusetts for AWS, Amazon Web Services Reinforce with their inaugural conference around security, I'm (mumbles). We've got two great guests, from Splunk, Cube alumnis, and also, we do the Cube coverage Dot Conf., their annual conference, Haiyan Song, SVP, General Manager Security Market, Oliver Freidrichs, Vice President of Security Products, formerly with a company you sold to Splunk, doing Security Phantom, which was mentioned in the partner summit, so congratulations. Great to see you guys. >> Thank you. >> Thank you for having us. >> So you guys are a really great example of a company that's been constantly innovating, on top of AWS, as a partner, differentiating, continuing to do business, and been successful. All the talk about Amazon could compete with partners, there's always been that myth. You guys have been operating successfully, got great customers on AWS, now you have the security conference, so now it's like a whole new party for you guys. 'Cause you don't go off to reinvent anymore, certainly, the big event, what do you guys think about all this Reinforce focus? >> First of all, I'm just super impressed. The size, the scale, and the engagement from the ecosystem that they have over here, and I think, you know you mentioned we've been really partnering and being successful. I think the secret is really about, just be very customer-focused. It's about what the customer needs, it's not what does each of us need, and when we have that focus, we know how to partner, we know how to engage. One of the examples that we have here is we're partnering up as the capture the flag exercise and it's powered by Splunk, it's put up by AWS Reinforce, and we wanted to bring the best user engagement, gamification of learning to this audience. >> And there's a demand for a security conference because a new breed, a new generation of engineering and enterprises as they move to DevOps, with security, all those same principals now apply, but the stakes are higher because you got to share data, you got to get the data, it's the data-driven problem. You guys are thinking outside-- I think four years ago at Dot Conf, the cyber security focus front and center, mainstream. >> Very much so. And I think for us, security is a big part of our user conference, too. But we're getting inspirations from this event and how we can further, really implify that message for our customers. But we're just so glad we're part of this, thank you for having us. >> We're glad, big love covering you, big success story. Oliver, I want to get to you on the Phantom. Yesterday it was mentioned in a great demo of the security hub, security hub's the big news here, it's one of their major announcements, what is a security hub? >> Yeah, so security hub, and you're right it was just announced that it reached general availability, which means it's available now to the rest of the world. It's a place to centralize a lot of your security management in AWS. So when you have detections, or Amazon calls them findings, coming from other security servers so they're centralized in security hub, where you can then inspect them, take action, investigate them. And one of the reasons we're here, is we've established an integration with security hub, where you can now take a finding coming from security hub, pull it into Splunk Phantom, and run an automation playbook to be able to, at machine speed, take action on a threat. So typically, you know if you're a human, you're looking at an event, and you're deciding what do I do, well I might want to go an suspend an AMI or go and move that AMI or change the access control group to a different access control group so that AMI can only communicate with a certain protected network if it's infected. Automation lets you do that instantaneously, so if you have an attacker who unfortunately may have gained control of your AMI, this allows you to react immediately, very very quickly to take action in that environment. >> And this is where the holes are in the network, and its administrative errors and (mumbles) sittin' out there that someone just configure it, now they're like, they could be out there, no one knows. >> Exactly. >> Could be just tired, I didn't configure it properly. But you guys were in the demos, I want to get your reaction that, because I was sittin' in the room, they highlighted Phantom in the demo. >> That's right. >> And so that was super important. Talk about that integration. What's actually going on under the covers there. >> Yeah, so at a basic level, we're pulling findings through the security hub API, into the automation platform. And then at that point, a playbook kicks off. And a playbook is basically, think of it as a big if this/then that statement. You see a threat, and you go and take a number of actions. You might go and block a port, you might go an suspend that AMI, you might go and disable a user, but you basically build that logic up based on a known threat, and you decide, here's what I'm going to do when I see this threat, and I'm going to turn that into a codified playbook that you can then run very rapidly. On the back end, we've had to integrate with a dozen other APIs like EC2, S3, Guard Duty and others to be able to take action in the environment as well to remediate threats, like changing the access control list or group on a resource. So it's closing that end-to-end loop. >> Hold on, Dave , one quick question on that followup. Then the SISO came in from Capital One and was off the record with this comment, was not really a sensitive comment, but I want to highlight and your both reaction to this. He says in terms of workforce and talent, mentality, 'cause the question came up about talent and whatnot, he sees a shift from better detection to better alerts, because of some of the demos, and implying, kind of connecting the dots, that the trend is to automate the threat detections the way you guys had demoed with Phantom, and then he was tying it back to, from a resource perspective, it frees his team up to do other things. This is a real trend. You agree with that statement? >> Absolutely. >> What's your thoughts? >> Honestly, we believe that we can be automating up to 90% of the level one analysts. There's a lot of routine route work that's done today in the SOC, and it's unforgiving, nobody wants to be a Tier One analyst, they all want to get promoted or go somewhere else, because it's literally a rat race. >> It's boring and it's repetitive, you just automate it. >> Who wants to do that, so we can automate that, we can free up about 50% of the analysts' time to actually focus on proactive activities, things that actually matter, like hunting, research and other development, writing counter-measures, versus the continually keeping up and drinking from a fire hose. >> So I wonder if we could talk about how Splunk has evolved. You guys started before cloud, which came in 2006 and then really took off later, before the sort of big data craze, and you guys mopped up in big data. You never really use that term in your marketing, but you kind of became the big data leader defacto, you got an IPO with actually relatively, by today's comparisons, small raises, >> Compared to today, yeah, yeah (laughs). >> Incredibly successful story, very capital-efficient. But then the cloud comes in, you mopped up on prem, how would you describe how the cloud has changed your strategy, obviously you go out an acquire companies heavily focused on automation, but how would you describe your cloud strategy and how has that changed Splunk? >> That's a great question. I think the fact that you have so many people here, just tells you that the whole industry is going through this transformation. Not only the digital transformation, the cloud transformation. And I'm glad you mentioned our root, it's all about big data, and nowadays security, in many ways, is actually more about data than anything else. 'Cause the data represents your business, and you protect your data, how do you leverage the data, represents your security strategy. The evolution for us, when you zero that into cloud is, we have really been a very early adopter of cloud, we've been providing cloud services for our customers from the very beginning, at least six years ago when we introduced a product called Storm and we continued to evolve that as the technology evolved, we evolved that with customers. So nowadays you probably know cloud is one of our fastest-growing segments of our business. The technology team has been really innovating, really really fast. How do we take a technology that we built for on-prem, how do we rebuilt it to be cloud-native, to be elastic, to be secure in the new way of DevOps. Those are some of the super exciting things we're doing as a company, and on the security side we're also, how do we help customers secure a hybrid world? 'Cause we truly believe the world going to stay hybrid for a long long time and we have companies like AWS really sort of pioneering and focusing and doing things great for the cloud, we still have a lot of customers who need companies and technologies and solutions like what Splunk bring in to bridge the world. >> I want to get you guys' thoughts on some comments we've had with some SISOs in the past, and I really can't say the names probably, but one of them, she was very adamant around integration. And now when you're dealing with an ecosystem, integration's been a big part of the conversation, and the quote was, on integration, "have APIs and "don't have it suck." And we evaluate peoples' integration based upon the qualities of their APIs. Implying that APIs are an integration point. You guys have a lot of experience with APIs, your thoughts on this importance of integration and the roles that APIs play, because that's, again, feeds automation, again it's a key, central component of the conversations these days. Integration, your reaction to that. >> So, maybe I'll start. I'd say we would not have had the success of Phantom Cyber or the Soar market, if not for having those APIs. 'Cause automation was not a new concept. It's been tried and probably not succeeded for many times, and the reason that we've been experiencing this great adoption and success with Phantom technology is because the availability of APIs. I think the other thing I would just add, I'm sure he has lot of experience in working that, Splunk was always positioned ourself as we want to be the neutral party, to bring everything together. And nowadays we're so glad we're doin' the integration, not only on the data side, which is still important. Bring the data, bring the dark data and shining a light on top of that, but also turning that into action through this type of API integration. >> So good investment, betting on integration years ago. >> Absolutely. >> Early on. >> We also change our culture. We previously say how many apps we have in our Splunk base. Now with Oliver being part of the team, Phantom being part of the portfolio, we say how many apps and how many APIs we had to integrate. That a change of metrics. >> All right, Oliver. It's up to you now. I'm sure you know I know where you stand on this, APIs being, a renaissance of APIs going to the next level, 'cause a lot of new things goin' on with Kubernetes and other things. You've got State now, you got Stateless, which is classic rest APIs, but now you got State data that's going to play a big role. Your thoughts on that, don't make the APIs suck, and we're going to evaluate vendors based upon how good their API is. >> Yeah, I think, look it's a buying decision today. It's a procurement decision whether or not you have open APIs. I think buyers are forcing us as an industry, as vendors, to have APIs that don't suck. We're highly motivated to have APIs that work well. >> That sounds like a t-shirt ready to come out (laughs) >> That's a great idea. >> The Cube API's coming, by the way. >> What does that mean, to have APIs that don't suck? >> So the, a great definition I heard recently was, the API that you use as a vendor to interface with your product should be the same API that customers can use to interface with your product. And if all of a sudden they're different, and you're offering a lesser API to customers, that's when they start sucking. As long as you're eating your own dog food, I think that's a good definition. >> So it's not neutered, it's as robust, and as granular. >> Exactly, exactly. And I think what, 20 years ago there were no APIs in security. To do what we do today, to automate all of this security response techniques that we do today, it wasn't even possible. We had to get to a certain level of API availability to even get to this stage. And today, again, unless, if you're a black box, people aren't going to buy your product anymore. >> Yeah, so, again, go the next level is visibility's another topic. So if you open the APIs up, the data's gettin' better, so therefore you can automate the level one alert, threat detections, move people up to better alerting, better creativity, then begs the question, at what point does the visibility increase? What has to happen in the industry to have that total shared environment around data sharing, because open APIs implies sharing of data. Where visibility could be benefited greatly . >> Yeah, I think visibility is really the key. You can't measure what you can't, you can't manage what you can't measure, and you can't, you have to see everything in your environment, your assets, users, devices, and all of your data. So visibility is essential. And it comes in a number of forms. One is getting access to your policy data, your configuration data, seeing how are my things configured? What assets do I have? Where are my S3 buckets? How many AMIs do I have? Who owns them? How many accounts do I have? I think that was one of the challenges before, probably the last three to four years, before that period, enterprises were setting up a lot of these shadow cloud environments, 'cause you could buy Amazon with your credit card, essentially. So that was one of the problems that we would see in the enterprise, when a developer would go and create their own Amazon environment. So getting visibility into that is really been a big advancement in the last few years. Finding those things. >> The birth of multi-cloud. Go ahead John. >> Doesn't make it easier. >> We were talking earlier in our intro Dave and I on the keynote analysis around you can configure it, you can secure it, and then we were riffing on the DevOps movement, which essentially decimated the configuration management landscape. Which was at that time a provisioning issue around developers. They'd have to essentially stand up and manage the network, and go and make sure the ports are all there, and they got load balances are in place, and that was a developer's job. Infrastructure as code took that away. That was a major bottom, hierarchical needs, that was the lowest need. Now with security, if DevOps can take away the configuration management and infrastructure as code, it's time for security to take away a lot of the configuration or security provisioning, if you will. So the question is, what are some of those security provisioning, heavy liftings, tasks that are going to be taken away when developers don't have to worry about security? So as this continues with cloud native, it becomes security native. As a developer, and I don't want to get in and start configuring stuff. I want the security team to magically, security as code, as Dave said. Where are we on that? What's your guys' thoughts on getting to that point? Is it coming soon? Is it here now? What are some of those provisioning tasks that are going to be automated away? >> I think we made a lot of progress in that area already. The ability to simply configure your environment, that Amazon has continued to add layers of check boxes and compliance that allow you to configure the environment far more seamlessly than having to go down into the granular access control list and defining a granular access control policy on your network ports or AMIs, for example. So I think the simplification of that has improved pretty dramatically. And even some of the announcements today in terms of adding more capabilities to do that. Encryption by default. I don't have to go configure my encryption on my data at rest. It's there. And I don't even have to think about it. So if someone steals a physical hard drive, which is very difficult to begin with, out of an Amazon data center, my data's encrypted, and nobody can get access to that. I don't even have to worry about that. So that's one of the benefits that I think the cloud adds, is there's a lot of default security built in that ends up normalizing security and actually making the cloud far more secure than traditional corporate environments and data centers. >> Well I still think you have to opt in, though. Isn't that what I heard? >> Opt in, yes. I would just add to that, I think it's like a rising tides. So the cloud is making lot of the infrastructure side more secure, more native, and then that means we need to pay more attention to the upper level applications and APIs, and identities, and access controls. I think the security team continue to have lot of jobs. Even yesterday they said well, not only we need to do what we need to do to secure the AWS, we also now get involved in every decision, all the other compa-- you know, like functions are doing, taking new sort of SASS services. So I guess message is the security professional continue to have jobs, and your job going to be more and more sophisticated, but more and more relevant to the business, so that I think is the change. >> So question. Oliver, you described what a good API experience is, from a customer perspective, Haiyan, you talked about hybrid. Can you compare the on prem experience with the cloud experience for your customers and how and they coming together? >> You want me to try that first? >> Sure. >> Okay. So, I think lot of the things that people have learned to protect or defend, or do detection response in the on prem world, is still very relevant in the cloud world. It's just the cloud world, I think it's just now really transforming to become more DevOps-centric. How you should design security from the get-go, versus in the on prem world was more okay, let's try to figure out how to monitor this thing, because we didn't really give lot of thoughts to security at the very beginning. So I think that is probably the biggest sort of mentality or paradigm shift, but on the other hand, people don't go and just flip into one side versus the other, and they still need to have a way of connecting what's happening in the current world, the current business, the one that's bring home the bacon, to the new world that's going to bring home the bacon in the future. So they're both really important for them. And I think having a technology as AWS and their whole ecosystem, that all embracing that hybrid world and ecosystem plate no one sort of single vendor going to do all of them, and pick the right solutions to do what you do. So in security, I think it's, you going to continue to evolve, to become more, when the security's built in, what is the rising tide that's going to dictate the rest of the security vendors do. You cannot just think as 10 years ago, five years ago, even two years ago. >> So that bolt-on mentality in the first decade of the millennium was a boon for Splunk. It was beautiful. 'Cause we got to figure out what happened, and you provided the data to show that. How does Splunk differentiate from all the guys that are saying "oh yeah, Splunk, they're on prem, we're the cloud guys." What's your story there? >> Our story is you can't really sort of secure something if you don't have experience yourself. Splunk cloud is probably one of the top, say 10 customers of AWS. We live in the cloud, we experience the cloud, we use the word drink, you know, like eat our own dog food, we like to say we drink our own champagne, if you will, so that's really driving lot of our technology development and understanding the market and really built that into our data platform, build that into our monitoring capabilities, and build that into the new technologies. How, you know, it's all about streaming, it's not about just somebody sending you information. It's about, in a hybrid world, how do you do it in a way that you, we have a term called the distributed data fabric search, because data is never going to be in one place, or even sort of in one cloud. How do we enable that access so you can get value? From a security perspective, how do we integrate with companies and solutions that's so native into the cloud, so you have the visibility not and the Bodong, but from the very beginning. >> So you're saying that cloud is not magic for a software company, it's commitment and it's a cultural mindset. >> Absolutely. >> Guys, thanks so much for comin' on, great to see you, we'll see you at Dot Conf, the Cube will be there this year again, I think for the seventh straight year. Oliver, congratulations on your product success, and mention as part of the AWS security hub presentation. >> Thank you. >> Good stuff from Splunk. Splunk is inside the Cube, explaining, extracting the signal from the noise, from one of the market-leading companies in the data business, now cyber security, I'm with (mumbles), we'll be back with more Cube coverage after this short break. (techno music)