>> Live from Orlando, Florida, it's theCUBE, covering .conf 18. Brought to you by Splunk. >> We're back in Orlando, everybody, at Splunk .conf18, #splunkconf18. I'm Dave Vellante with my co-host Stu Miniman. You're watch theCUBE, the leader in live tech coverage. We like to go out to the events. We want to extract the signal from the noise. We've been documenting the ascendancy of Splunk for the last seven years, how Splunk really starts in IT operations and security, and now we hear today Splunk has aspirations to go into the line of business, but speaking of security, Gary Mikula is here. He's a senior director of cyber and information security at FINRA, and he's joined by Siddharta "Sid" Dadana, who's the director of information security engineering at FINRA. Gentlemen, welcome back to theCUBE, Gary, and Sid, first-timer, welcome on theCUBE. So, I want to start with FINRA. Why don't you explain, I mean, I think many people know what FINRA is, but explain what you guys do and, sort of, the importance of your mission. >> Sure, it's our main aspiration is to protect investors, and we do that in two ways. We actually monitor the brokers and dealers that do trades for people, but more importantly, and what precipitated our move to the Cloud was the enormous amount of data that we have to pull in daily. Every transaction on almost every US stock market has to be surveilled to ensure that people are acting properly, and we do that at the petabyte scale, and doing that with your own hardware became untenable, and so the ability to have elastic processing in the Cloud became very attractive. >> How much data are we talking about here? Is there any way you can, sort of, quantify that for us, or give us a mental picture? >> Yeah, so the example I use is, if you took every transaction that Visa has on a normal day, every Facebook like, every Facebook update, and if you took every Twitter tweet, you added them altogether, you multiplied it by 20, you would still not reach our peak on our peak day. >> (laughs) Hence, Splunk. And we'll talk about that but, Sid, what's your role, you got to architect all this stuff, the data pipeline, what do you... >> So, my role is basically to work with the webs teams, application teams to basically integrate security in the processes, how they roll out applications, how they look at data, how they use the same data that security uses for them to be able to leverage it for the webs and all the performances. >> So, your mission is to make sure security's not an afterthought, it's not a bolt-on, it's a fundamental part of the development process, so it's not thrown over the fence, "Hey, secure this application." It's built in, is that right? >> Yes. >> Okay. Gary, I wonder if you could talk about how security has changed over the last several years. You hear a lot that, well, all the spending historically has been on keeping the bad guys out the perimeter. As the perimeter disappears, things change, and the emphasis changes. Certainly, data is a bigger factor, analytics have come into play. From your perspective, what is the big change or the big changes in security? >> So, it's an interesting question. So I've been through several paradigm changes, and I don't think anyone has been as big as the move the Cloud, and... The Cloud offers so much opportunity from a cost perspective, from a processing perspective, but it also brings with it certain security concerns. And we're able to use tools like Splunk to be able to do surveillance on our AWS environments in order to give us the confidence to be able to use those services up there. And so, we now are actually looking at how we're going to secure individual AWS services before we use them, rather than looking to bring stovepipe solutions in, we're looking to leverage our AWS relationship to be able to leverage what they've built out of the box. >> Yeah, people oftentimes, Stu, talk about Cloud security like it's some binary thing. "Oh, I don't want to go the Cloud, because Cloud is dangerous" or "Cloud security is better". It's not that simple, is it? I mean, maybe the infrastructure. In fact, we heard the CIA, Stu and I were in D.C. in December, we heard the CIO of the CIA say, "The Cloud, its worse day is better than my client's server from a security perspective." But he's really talking about the infrastructure. There's so much more to security, right? >> Absolutely, and, so I agree that the Cloud gives the opportunity to be better than you are on PRAM. I think the way FINRA's rolled out, we've shown that we are more secure in the Cloud than we have been on traditional data centers, and it's because of our ability to actually monitor our whole AWS environment. Everything is API-based. We know exactly what everybody's doing. There's no shadow IT anymore, and those are all big positives. >> Yeah, I'm wondering how you've, what KPIs you look at when you look at your Splunk environment. What we hear from Splunk, you know, it's scalability, cost, performance, and then that management, the monitoring of the environment. How are they doing? How does that make your job easier? >> So, I think we still look at the same KPIs that Splunk advertises all the time, but some of the reasons, from our perspective, we kind of look at it in terms of, how much value can we give it to not just one part of the company, but how can we make it much more enhanceable part for everyone in the organization. So, the more we do that, I think that makes it a much better ROI for any organization to use a product like this one. >> You guys talk about the "shift left" movement. What is "shift left" and what is the relevance to security? >> Yeah so, "shift left" is a concept where, instead of looking at security as a bolt-on, or an add-on, or a separate entity, we're looking to leverage what are traditional DevOp tools, what are traditional SDLC pipeline roles, and we're looking at how we integrate security into that, and we use Splunk to be able to integrate collection of data into our CDCI pipelines, and it's all hands-off. So, somebody hits a button to deploy a new VPC and AWS, automatically things are monitored and into our enterprise search, I'm sorry, enterprise security SIM, and automatically being monitored. There's no hands-on that needs to be done. >> So, on a scale of one to five, thinking of a maturity model in terms of, in a DevOps context, five being, you know, the gold standard and one being you're just getting started. Where would you put FINRA on that spectrum, I mean, just subjectively? >> So, I'll never say that we're a five because I think there's always, >> You're never done. >> You're never done and there's always room for improvement, but I think we're at least a strong four. We've embraced those concepts, and we've put them into action. >> And so, I thought so, and I want to ask you from a skill standpoint how you got there. So, you've been around a long time. You had a Dev team and an Ops team before the term DevOps even came around, right? And we talk about this a lot, Stu. What did you do with the Ops guys and the Dev guys? Is it OpsDev or DevOps? Did you retrain them? Did you fire them all and hire new people? How did you go through that transition? >> Yep, that's a fair thing. I went to my CISO John Brady a couple of years ago and I told him that we were going to need to get these new skill sets in, and that I thought I had the right person in Sid to be able to head that up, and we brought in some new talent, but we also retrained the existing talent because these were really bright people, and they still had the security skills. And what Sid's been able to do is to embrace that and create a working relationship with the traditional DevOps teams so that we can integrate into their tools. >> So, it does include a little bit work even on our end to do where you kind of learn how the DevOps forces work, so you've got to do it on your own to first figure out things and then you can actually relate to the problems which they will go through and then you work through problems with them, rather than you designing up a solution and then just say, "Hey, go and implement it out." So, I think that kind of relationship has helped us and in the long run, we hope to do a bit better work. >> Yes, Sid, can you bring us in a little bit, when you look at your Splunk deployment, FINRA'S got a lot of applications, how do you get all those various applications in there? You know, Splunk talks about, you can get access to your data your way, do you find that to be the reality? >> Yes, to a certain extent, so... Let's take a step back here. So our design is much more hybrid-oriented. So, we use Splunk Cloud, but that's primarily for our indexers whereas we host our own sort of class receptor. All the data basically goes in from servers from AWS components, from on-prem, basically it flows into our Splunk Cloud indexers, and we use a role-based access management to actually give everyone access to whatever data they need to be looking at. >> Alright. The number of enhancements from 702, updates, the Cloud, Gar-Gar, is there anything that's jumped out that's going to architecturally help your team? >> So, I think one of the interesting things is the new data pipeline, and to be able to actually mangle that data before I get it into my Splunk indexers is going to be really really life-changing for us. One of the hard parts is that developers write code and they don't necessarily create logs that are event-driven. They don't have date-time stamps, they do dumps. So, I'm going to be able to actually massage that before it hits the indexers, and it's going to speed up our ability to be able to provide quick searches because the indexers won't be working on mangling that data. >> And how big of a deal is it for you? They announced yesterday the ability to scale storage and compute separately in a more granular fashion, is that a big deal for you? >> So, I actually, I remember speaking to Doug Merritt probably three years ago. >> You started this! (laughing) >> And I said, "Doug", I said, "I really think that's the direction that you need to go. You're going to have to separate those two, eventually, because we're doing a petabyte scale, we realized very early that that'd need to be done. And so, it's really really refreshing to see, because it's going to be transformative to be able to do compute-on-demand after that. Because now we can start looking at API brokers, and we can start looking at containers, and all those other things can be integrated into Splunk. >> Love having customers on like you guys, so knowledgeable. I have to ask, switch gears a little bit, I want to ask you about your security regime. We had a customer on yesterday, and it was the CISO who reported to him. He was the EVP, and he reported to the CIO. A lot of organizations say, "You know what? We want the CISO to be separate from the CIO. Cause it's like the, you know, the fox in the henhouse kind of thing. And we want that a little bit of tension in there." How do you guys approach it? What's the regime you have for... >> That is a fair question, and I've heard that from many other CISOs that have that same sort of complaint. And I think it's really organization-based. And I think, do you have the checks and balances in place? First of all, our CIO, Steve Randich, is extremely, he cares a lot about security, and he is very good at getting funding for us for initiatives to help secure the environment. But more importantly, our board of directors bring up security at every board event. They care about it, they know about it, and that permeates through the organization. So there's a checks and balances to make sure that we have the right security in place. And it's a working relationship, not adversarial at all, so, having our CISO John Brady report to Steve Randich, the CIO, has not been a hindrance. >> And I think that's a change in the last several years, because that regime that I described, which was, there was sort of a wave there, where that became common, and I think you just hit on it. When security became a board-level issue, and for every Fortune 1000, Global 2000 company, it's a board-level issue. They talk about it every board meeting. When that occurred, I think there was an epiphany of, "We need the CIO to actually be on this." And you want the CIO to be responsible for that. And the change was, it used to be, "Hey, if I fail, I get fired." And I think boards now realize that "failure" in security doesn't mean you got breached. >> Sure. >> You know. Breaches are going to happen. It's how you respond to them and, you know, how you react to them that is becoming more important. So there's much more transparency around security in our view. I wonder if you agree with that. >> I think there's transparency. And the other thing is is that you have to put the decision-making where it makes the most sense. Most of the security breaches that we're talking about are highly technical in nature, where a CIO is better able to evaluate some of those decisions, not all companies have a CEO that came from a technology train in order to be able to make those decisions. So, I think it makes more sense to have the CISO report to somebody in the technology world. >> Great, thank you for that. Now, the other question I have for you is, in terms of FINRA's experience with Splunk, did it start with SecOps and security, or was it, sort of, IT operations, or...? >> It did, it started with security. We were disenfranchised with traditional SIMs that were out there, and we decided to go with Splunk, and we made the decision that security was going to own it, but we wanted it to be a corporate asset from day one. And we worked our tails off to integrate, through brown bags, through training. So we permeated through the organization. And, on any given week, we pull about 35-40% of all of technology is using Splunk at FINRA. >> So, I'm curious as to, we heard some announcements today, I don't know if you saw them, about, you know, Splunk Next, building on that, Splunk for the line of business, the business flow, they did a nice demo there. Do you see, because security sort of was the starting point, and your mission was always to permeate the organization, do you see that continuing to other parts of the organization more aggressively now given this sort of democratization of data for the business lines, and... Will you guys be a part of that, directly? >> We hope so. We hope we are part of that change, too. I mean, the more we can use the same data for even business users that will help them, that would relieve a lot of, and they made this point again and again in the keynote, too, that, the It Ops and SecOps are already burdened enough. So, how do we make life easy for business users who actually leverage the same data? So we hope to be able to put these tools up and see if it can make any difference to business users. >> So, you guys have put a lot of emphasis on integrating with Splunk and AWS Cloud. You have a presentation later on today at .conf18 around the AWS Firehose that you have with Splunk. What's that all about? What's the AWS Firehose? How are you integrating it? Why is it important? >> So, it is streaming and it allows me to get information from AWS that's typically in something called the CloudWatch Logs, that is really difficult to be able to talk to. And I want to get it into the Splunk so I can get more value from it. And what I'm able to do is put something called a subscription filter on it, and flow that data directly into Splunk. So, Splunk worked with AWS to create this integration between the two tools, and we think we've taken it to a high level. We use it for Lambda, to grab those logs, we use it for VPC Flow Logs, we're using it for SaaS Providers, provide APIs into their data, we use it for that, and finally, we're going to be doing database activity monitoring, all leveraging this same technology. >> Love it, I mean, you guys are on the forefront of Cloud and Splunk integration, Cloud adoption, DevOps, you guys have always been great about sharing your knowledge, you know, with others, and we really appreciate you guys coming on theCUBE. Thank you. >> Thanks for having us. >> You're welcome. Alright, keep it right there, everybody. Stu and I will be back. You're watching theCUBE from .conf18, Splunk's big user conference. We'll be right back. (electronic music)