>> Hello friends and welcome back to Fabulous Las Vegas, Nevada. We are here at AWS re:Invent in the heat of day three. Very exciting time. My name is Savannah Peterson, joined with John Furrier here on theCUBE. John, what's your, what's your big hot take from the day? Just from today. >> So right now the velocity of content is continuing to flow on theCUBE. Thank you, everyone, for watching. The security conversations. Also, the cost tuning of the cloud kind of vibe is going on. You're hearing that with the looming recession, but if you look at the show it's the bulk of the keynote time spent talking is on data and security together. So Security, Security Lake, Amazon, they continue to talk about security. This next segment's going to be awesome. We have a multi-, eight-time CUBE alumni coming back and great conversation about security. I'm looking forward to this. >> Alumni VIP, I know, it's so great. Actually, both of these guests have been on theCUBE before so please welcome Dan and Haiyan. Thank you both for being here from F5. How's the show going? You're both smiling and we're midway through day three. Good? >> It's so exciting to be here with you all and it's a great show. >> Awesome. Dan, you having a good time too? >> It's wearing me out. I'm having a great time. (laughter) >> It's okay to be honest. It's okay to be honest. It's wearing out our vocal cords for sure up here, but it is definitely a great time. Haiyan, can you tell me a little bit about F5 just in case the audience isn't familiar? >> Sure, so F5 we specialize in application delivery and security. So our mission is to deliver secure and optimize any applications, any APIs, anywhere. >> I can imagine you have a few customers in the house. >> Absolutely. >> Yeah, that's awesome. So in terms of a problem that, well an annoyance that we've all had, bots. We all want the anti-bots. You have a unique solution to this. How are you helping AWS customers with bots? Let's send it to you. >> Well we, we collect client side signals from all devices. We might study how it does floating point math or how it renders emojis. We analyze those signals and we can make a real time determination if the traffic is from a bot or not. And if it's from a bot, we could take mitigating action. And if it's not, we just forward it on to origin. So client side signals are really important. And then the second aspect of bot protection I think is understanding that bot's retool. They become more sophisticated. >> Savannah: They learn. >> They learn. >> They unfortunately learn as well. >> Exactly, yeah. So you have to have a second stage what we call retrospective analysis where you're looking over all the historical transactions, looking for anything that may have been missed by a realtime defense and then updating that stage one that real time defense to deal with the newly discovered threat. >> Let's take a step back for a second. I want to just set the table in the context for the bot conversation. Bots, automation, that's, people know like spam bots but Amazon has seen the bot networks develop. Can you scope the magnitude and the size of the problem of bots? What is the problem? And give a size of what this magnitude of this is. >> Sure, one thing that's important to realize is not all bots are bad. Okay? Some bots are good and you want to identify the automation from those bots and allow listed so you don't interfere with what they're doing. >> I can imagine that's actually tricky. >> It is, it is. Absolutely. Yeah. >> Savannah: Nuanced. >> Yeah, but the bad bots, these are the ones that are attempting credential stuffing attacks, right? They're trying username password pairs against login forms. And because of consumer habits to reuse usernames and passwords, they end up taking over a lot of accounts. But those are the bookends. There are all sorts of types of bots in between those two bookends. Some are just nuisance, like limited time offer bots. You saw some of this in the news recently with Ticketmaster. >> That's a spicy story. >> Yeah, it really is. And it's the bots that is causing that problem. They use automation to buy all these concert tickets or sneakers or you know, any limited time offer project. And then they resell those on the secondary market. And we've done analysis on some of these groups and they're making millions of dollars. It isn't something they're making like 1200 bucks on. >> I know Amazon doesn't like to talk about this but the cloud for its double edged sword that it is for all the greatness of the agility spinning up resources bots have been taking advantage of that same capability to hide, change, morph. You've seen the matrix when the bots attacked the ship. They come out of nowhere. But Amazon actually has seen the bot problem for a long time, has been working on it. Talk about that kind of evolution of how this problem's being solved. What's Amazon doing about, how do you guys help out? >> Yeah, well we have this CloudFront connector that allows all Amazon CloudFront customers to be able to leverage this technology very, very quickly. So what historically was available only to like, you know the Fortune 500 at most of the global 2000 is now available to all AWS customers who are using CloudFront just by really you can explain how do they turn it on in CloudFront? >> Yeah. So I mean CloudFront technologies like that is so essential to delivering the digital experience. So what we do is we do a integration natively. And so if your CloudFront customers and you can just use our bot defense solution by turning on, you know, that traffic. So go through our API inspection, go through our bot inspection and you can benefit from all the other efficiencies that we acquired through serving the highest and the top institutions in the world. >> So just to get this clarification, this is a super important point. You said it's native to the service. I don't have to bolt it on? Is it part of the customer experience? >> Yeah, we basically built the integration. So if you're already a CloudFront customer and you have the ability to turn on our bot solutions without having to do the integration yourself. >> Flick a switch and it's on. >> Haiyan: Totally. >> Pretty much. >> Haiyan: Yeah. >> That's how I want to get rid of all the spam in my life. We've talked a lot about the easy button. I would also like the anti-spam button if we're >> Haiyan: 100% >> Well we were talking before you came on camera that there's a potentially a solution you can sit charge. There are techniques. >> Yeah. Yeah. We were talking about the spam emails and I thought they just charge, you know 10th of a penny for every sent email. It wouldn't affect me very much. >> What's the, are people on that? You guys are on this but I mean this is never going to stop. We're going to see the underbelly of the web, the dark web continue to do it. People are harvesting past with the dark web using bots that go in test challenge credentials. I mean, it's just happening. It's never going to stop. What's, is it going to be that cat and mouse game? Are we going to see solutions? What's the, when are we going to get some >> Well it's certainly not a cat and mouse game for F5 customers because we win that battle every time. But for enterprises who are still battling the bots as a DIY project, then yes, it's just going to be a cat and mouse. They're continuing to block by IP, you know, by rate limiting. >> Right, which is so early 2000's. >> Exactly. >> If we're being honest. >> Exactly. And the attackers, by the way, the attackers are now coming from hundreds of thousands or even millions of IP addresses and some IPs are using one time. >> Yeah, I mean it seems like such an easy problem to circumnavigate. And still be able to get in. >> What are I, I, let's stick here for a second. What are some of the other trends that you're seeing in how people are defending if they're not using you or just in general? >> Yeah, maybe I'll add to to that. You know, when we think about the bot problem we also sort of zoom out and say, Hey, bot is only one part of the problem when you think about the entire digital experience the customer experiencing, right? So at F5 we actually took a more holistic sort of way to say, well it's about protecting the apps and applications and the APIs that's powering all of those. And we're thinking not only the applications APIs we're thinking the infrastructure that those API workloads are running. So one of the things we're sharing since we acquired Threat Stack, we have been busy doing integrations with our distributed cloud services and we're excited. In a couple weeks you will hear announcement of the integrated solution for our application infrastructure protection. So that's just another thing. >> On that Threat Stack, does that help with that data story too? Because it's a compliance aspect as well. >> Yeah, it helps with the telemetries, collecting more telemetries, the data story but is also think about applications and APIs. You can only be as secure as the infrastructure you're running on it, right? So the infrastructure protection is a key part of application security. And the other dimension is not only we can help with the credentials, staffing and, and things but it's actually thinking about the customer's top line. Because at the end of the day when all this inventory are being siphoned out the customer won't be happy. So how do we make sure their loyal customers have the right experience so that can improve their top line and not just sort of preventing the bots. So there's a lot of mission that we're on. >> Yeah, that surprise and delight in addition to that protection. >> 100% >> If I could talk about the evolution of an engagement with F5. We first go online, deploy the client side signals I described and take care of all the bad bots. Okay. Mitigate them. Allow list all the good bots, now you're just left with human traffic. We have other client side signals that'll identify the bad humans among the good humans and you could deal with them. And then we have additional client side signals that allow us to do silent continuous authentication of your good customers extending their sessions so they don't have to endure the friction of logging in over and over and over. >> Explain that last one again because I think that was, that's, I didn't catch that. >> Yeah. So right now we require a customer to enter in their username and password before we believe it's them. But we had a customer who a lot of their customers were struggling to log in. So we did analysis and we realized that our client side signals, you know of all those that are struggling to log in, we're confident like 40% of 'em are known good customers based on some of these signals. Like they're doing floating point math the way they always have. They're rendering emojis the way they always have all these clients that signals are the same. So why force that customer to log in again? >> Oh yeah. And that's such a frustrating user experience. >> So true. >> I actually had that thought earlier today. How many time, how much of my life am I going to spend typing my email address? Just that in itself. Then I could crawl back under the covers but >> With the biometric Mac, I forget my passwords. >> Or how about solving CAPTCHA's? How fun is that? >> How many pictures have a bus? >> I got one wrong the other day because I had to pick all the street signs. I got it wrong and I called a Russian human click farm and figured out why was I getting it wrong? And they said >> I love that you went down this rabbit hole deeply. >> You know why that's not a street sign. That's a road sign, they told me. >> That's the secret backdoor. >> Oh well yeah. >> Talk about your background because you have fascinating background coming from law enforcement and you're in this kind of role. >> He could probably tell us about our background. >> They expunge those records. I'm only kidding. >> 25, 30 years in working in local, state and federal law enforcement and intelligence among those an FBI agent and a CIA cyber operations officer. And most people are drawn to that because it's interesting >> Three letter agencies can get an eyebrow raise. >> But I'll be honest, my early, early in my career I was a beat cop and that changed my life. That really did, that taught me the importance of an education, taught me the criminal mindset. So yeah, people are drawn to the FBI and CIA background, but I really value the >> So you had a good observation eye for kind of what, how this all builds out. >> It all kind of adds up, you know, constantly fighting the bad guys, whether they're humans, bots, a security threat from a foreign nation. >> Well learning their mindset and learning what motivates them, what their objectives are. It is really important. >> Reading the signals >> You don't mind slipping into the mind of a criminal. It's a union rule. >> Right? It actually is. >> You got to put your foot and your hands in and walk through their shoes as they say. >> That's right. >> The bot networks though, I want to get into, is not it sounds like it's off the cup but they're highly organized networks. >> Dan: They are. >> Talk about the aspect of the franchises or these bots behind them, how they're financed, how they use the money that they make or ransomware, how they collect, what's the enterprise look like? >> Unfortunately, a lot of the nodes on a botnet are now just innocent victim computers using their home computers. They can subscribe to a service and agree to let their their CPU be used while they're not using it in exchange for a free VPN service, say. So now bad actors not, aren't just coming from you know, you know, rogue cloud providers who accept Bitcoin as payment, they're actually coming from residential IPs, which is making it even more difficult for the security teams to identify. It's one thing when it's coming from- >> It's spooky. I'm just sitting here kind of creeped out too. It's these unknown hosts, right? It's like being a carrier. >> You have good traffic coming from it during the day. >> Right, it appears normal. >> And then malicious traffic coming from it. >> Nefarious. >> My last question is your relationship with Amazon. I'll see security center piece of this re:Invent. It's always been day zero as they say but really it's the security data lake. A lot of gaps are being filled in the products. You kind of see that kind of filling out. Talk about the relationship with F5 and AWS. How you guys are working together, what's the status? >> We've been long-term partners and the latest release the connector for CloudFront is just one of the joint work that we did together and try to, I think, to Dan's point, how do we make those technology that was built for the very sophisticated big institutions to be available for all the CloudFront customers? So that's really what's exciting. And we also leverage a lot of the technology. You talked about the data and our entire solution are very data driven, as you know, is automation. If you don't use data, you don't use analytics, you don't use AI, it's hard to really sort of win that war. So a lot of our stuff, it's very data driven >> And the benefit to customers is what? Access? >> The customer's access, the customer's top line. We talked about, you know, like how we're really bringing better experiences at the end of the day. F5's mission is try to bring a better digital world to life. >> And it's also collaborative. We've had a lot of different stories here on on the set about companies collaborating. You're obviously collaborating and I also love that we're increasing access, not just narrowing this focus for the larger companies at scale already, but making sure that these companies starting out, a lot of the founders probably milling around on the floor right now can prevent this and ensure that user experience for their customers. throughout the course of their product development. I think it's awesome. So we have a new tradition here on theCUBE at re:Invent, and since you're alumni, I feel like you're maybe going to be a little bit better at this than some of the rookies. Not that rookies can't be great, but you're veterans. So I feel strong about this. We are looking for your 30-second Instagram reel hot take. Think of it like your sizzle of thought leadership from the show this year. So eventually eight more visits from now we can compile them into a great little highlight reel of all of your sound bites over the evolution of time. Who wants to give us their hot take first? >> Dan? >> Yeah, sure. >> Savannah: You've been elected, I mean you are an agent. A former special agent >> I guess I want everybody to know the bot problem is much worse than they think it is. We go in line and we see 98, 99% of all login traffic is from malicious bots. And so it is not a DIY project. >> 98 to 99%? That means only 1% of traffic is actually legitimate? >> That's right. >> Holy moly. >> I just want to make sure that everybody heard you say that. >> That's right. And it's very common. Didn't happen once or twice. It's happened a lot of times. And when it's not 99 it's 60 or it's 58, it's high. >> And that's costing a lot too. >> Yes, it is. And it's not just in fraud, but think about charges that >> Savannah: I think of cloud service providers >> Cost associated with transactions, you know, fraud tools >> Savannah: All of it. >> Yes. Sims, all those things. There's a lot of costs associated with that much automation. So the client side signals and multi-stage defense is what you need to deal with it. It's not a DIY project. >> Bots are not DIY. How would you like to add to that? >> It's so hard to add to that but I would say cybersecurity is a team sport and is a very data driven solution and we really need to sort of team up together and share intelligence, share, you know, all the things we know so we can be better at this. It's not a DIY project. We need to work together. >> Fantastic, Dan, Haiyan, so great to have you both back on theCUBE. We look forward to seeing you again for our next segment and I hope that the two of you have really beautiful rest of your show. Thank you all for tuning into a fantastic afternoon of coverage here from AWS re:Invent. We are live from Las Vegas, Nevada and don't worry we have more programming coming up for you later today with John Furrier. I'm Savannah Peterson. This is theCUBE, the leader in high tech coverage.

>>You want us to >>Look at that camera? Okay. We're back in Boston, everybody. This is Dave ante for the cube, the leader in enterprise tech coverage. This is reinforce 2022 AWS's big security conference. We're here in Boston, the convention center where the cube started in 2010. Highend song is here. She's head of security and distributed cloud services at F five. And she's joined by Dan woods. Who's the global head of intelligence at F five. Great to see you again. Thanks for coming in the cube, Dan, first time I believe. Yeah. Happy to be here. All right. Good to see you guys. How's the, how's the event going for? Y'all >>It's been just fascinating to see all those, uh, new players coming in and taking security in a very holistic way. Uh, very encouraged. >>Yeah. Boston in, in July is, is good. A lot of, a lot of action to Seaport. When I was a kid, there was nothing here, couple mob restaurants and that's about it. And, uh, now it's just like a booming, >>I'm just happy to see people in, in person. Finally, is >>This your first event since? Uh, maybe my second or third. Third. Okay, >>Great. Since everything opened up and I tell you, I am done with >>Zoom. Yeah. I mean, it's very clear. People want to get back face to face. It's a whole different dynamic. I think, you know, the digital piece will continue as a compliment, but nothing beats belly to belly, as I like absolutely say. All right. Hi on let's start with you. So you guys do a, uh, security report every year. I think this is your eighth year, the app security report. Yeah. Um, I think you, you noted in this report, the growing complexity of apps and integrations, what did you, what are, what were your big takeaways this year? >>And so, like you said, this is our eighth year and we interview and talk to about 1500 of like companies and it decision makers. One of the things that's so prevalent coming out of the survey is complexity that they have to deal with, continue to increase. It's still one of the biggest headaches for all the security professionals and it professionals. And that's explainable in a way, if you look at how much digital transformation has happened in the last two years, right? It's an explosion of apps and APIs. That's powering all our digital way of working, uh, in the last two years. So it's certainly natural to, to see the complexity has doubled and tripled and, and we need to do something about it. >>And the number of tools keeps growing. The number of players keeps growing. I mean, so many really interesting, you know, they're really not startups anymore, but well funded new entrance into the marketplace. Were there any big surprises to you? You know, you're a security practitioner, you know, this space really well, anything jump out like, whoa, that surprised >>Me. Yeah. It's been an interesting discussion when we look at the results, right. You know, some of us would say, gosh, this is such a big surprise. How come people still, you know, willing to turn off security for the benefits of performance. And, and, and as a security professional, I will reflect on that. I said, it's a surprise, or is it just a mandate for all of us in security, we got to do better. And because security shouldn't be the one that prevents or add friction to what the business wants to do, right? So it's a surprise because we, how can, after all the breaches and, and then security incidents, people are still, you know, the three quarters of the, uh, interviewees said, well, you know, if we were given a choice, we'll turn off security for performance. And I think that's a call to action for all of us in security. How do we make security done in a way that's frictionless? And they don't have to worry about it. They don't have to do a trade off. And I think that's one of the things, you know, Dan in working our entire anti automation, uh, solution one is to PR protect. And the other thing is to enable. >>Yeah. You think about Dan, the, I always say the, the adversary is extremely capable. The ROI of cyber tech just keeps getting better and better. And your jobs really is to, to, to lower the ROI, right. It decrease the value, increase the cost, but you're, I mean, fishing continues to be prevalent. You're seeing relatively new technique island hopping, self forming malware. I mean, it's just mind boggling, but, but how are you seeing, you know, the attack change? You know, what what's the adversary do differently over the last, you know, several years maybe pre and post pandemic, we've got a different attack service. What are you seeing? >>Well, we're seeing a lot higher volume attacks, a lot higher volume and velocity. Mm-hmm, <affirmative> it isn't uncommon at all for us to go in line and deploy our client side signals and see, uh, the upper 90%, um, is automated, unwanted automation hitting the application. Uh, so the fact that the security teams continue to underestimate the size of the problem. That is something I see. Every time we go in into an enterprise that they underestimate the size of the problem, largely because they're relying on, on capabilities like caps, or maybe they're relying on two of a and while two of a is a very important role in security. It doesn't stop automated attacks and cap certainly doesn't stop automated >>Tax. So, okay. So you said 90% now, as high as 90% are, are automated up from where maybe dial back to give us a, a marker as to where it used to be. >>Well, less than 1% is typically what all of our customers across the F five network enjoy less than 1% of all traffick hitting origin is unwanted, but when we first go online, it is upper 90, we've seen 99% of all traffic being unwanted >>Automation. But Dan, if I dial back to say 2015, was it at that? Was it that high? That, that was automated >>Back then? Or, you know, I, I don't know if it was that high then cuz stuffing was just, you know, starting to kind take off. Right? No. Right. Um, but as pre stuffing became better and better known among the criminal elements, that's when it really took off explain the pays you're right. Crime pays >>Now. Yeah. It's unfortunate, but it's true. Yeah. Explain the capture thing. Cause sometimes as a user, like it's impossible to do the capture, you know, it's like a twister. Yeah. >>I >>Got that one wrong it's and I presume it's because capture can be solved by, by bots. >>Well, actually the bots use an API into a human click farming. So they're humans to sit around, solving captures all day long. I actually became a human capture solver for a short time just to see what the experience was like. And they put me to the training, teaching me how to solve, captures more effectively, which was fascinating, cuz I needed that training frankly. And then they tested to make sure I solve caps quickly enough. And then I had solved maybe 30 or 40 caps and I hadn't earned one penny us yet. So this is how bots are getting around caps. They just have human solve them. >>Oh, okay. Now we hear a lot at this event, you gotta turn on multifactor authentication and obviously you don't want to use just SMS based MFA, but Dan you're saying not good enough. Why explain >>That? Well, most implementations of two a is, you know, you enter in username and password and if you enter in the correct username and password, you get a text message and you enter in the code. Um, if you enter in the incorrect username and password, you're not sent to code. So the, the purpose of a credential stocking attack is to verify whether the credentials are correct. That's the purpose. And so if it's a two, a protected log in, I've done that. Admittedly, I haven't taken over the account yet, but now that I have a list of known good credentials, I could partner with somebody on the dark web who specializes in defeating two, a through social engineering or port outs or SIM swaps S so seven compromises insiders at telcos, lots of different ways to get at the, uh, two, a text message. >>So, wow, <laugh>, this is really interesting, scary discussion. So what's the answer to, to that problem. How, how have five approach >>It highend touched on it. We, we want to improve security without introducing a lot of friction. And the solution is collecting client side signals. You interrogate the users, interactions, the browser, the device, the network, the environment, and you find things that are unique that can't be spoof like how it does floating point math or how it renders emojis. Uh, this way you're able to increase security without imposing friction on, on the customer. And honestly, if I have to ever have to solve another capture again, I, I, I just, my blood is boiling over capture. I wish everyone would rip it out >>As a user. I, I second that request I had, um, technology got us into this problem. Can technology help us get out of the problem? >>It has to. Um, I, I think, uh, when you think about the world that is powering all the digital experiences and there's two things that comes to mind that apps and APIs are at the center of them. And in order to solve the problem, we need to really zero in where, you know, the epic center of the, the, uh, attack can be and, and had the max amount of impact. Right? So that's part of the reason from a F five perspective, we think of application and API security together with the multitier the defense with, you know, DDoS to bots, to the simple boss, to the most sophisticated ones. And it has to be a continuum. You don't just say, Hey, I'm gonna solve this problem in this silo. You have to really think about app and APIs. Think about the infrastructure, think about, you know, we're here at AWS and cloud native solutions and API services is all over. You. Can't just say, I only worry about one cloud. You cannot say, I only worry about VMs. You really need to think of the entire app stack. And that's part of the reason when we build our portfolio, there is web application firewall, there's API security there's bot solution. And we added, you know, application infrastructure protection coming from our acquisition for threat stack. They're actually based in Boston. Uh, so it's, it's really important to think holistically of telemetry visibility, so you can make better decisions for detection response. >>So leads me to a number of questions first. The first I wanna stay within the AWS silo for a minute. Yeah. Yeah. What do you, what's the relationship with AWS? How will you, uh, integrating, uh, partnering with AWS? Let's start there. >>Yeah, so we work with AWS really closely. Uh, a lot of our solutions actually runs on the AWS platform, uh, for part of our shape services. It's it's, uh, using AWS capabilities and thread stack is purely running on AWS. We just, uh, actually had integration, maybe I'm pre announcing something, uh, with, uh, the cloud front, with our bot solutions. So we can be adding another layer of protection for customers who are using cloud front as the w on AWS. >>Okay. So, um, you integrate, you worry about a APIs, AWS APIs and primitives, but you have business on prem, you have business, other cloud providers. How do you simplify those disparities for your customers? Do you kind of abstract all that complexity away what's F fives philosophy with regard then and creating that continuous experience across the states irrespective of physical >>Location? Yeah, I think you're spot on in terms of, we have to abstract the complexity away. The technology complexity is not gonna go away because there's always gonna be new things coming in the world become more disaggregated and they're gonna be best of brain solutions coming out. And I think it's our job to say, how do we think about policies for web application? And, you know, you're, on-prem, you're in AWS, you're in another cloud, you're in your private data center and we can certainly abstract out the policies, the rules, and to make sure it's easier for a customer to say, I want this particular use case and they push a button. It goes to all the properties, whether it's their own edge or their own data center, and whether it's using AWS, you know, cloud front as you using or web. So that is part of our adapt. Uh, we call it adaptive application. Vision is to think delivery, think security, think optimizing the entire experience together using data. You know, I come from, uh, a company that was very much around data can power so many things. And we believe in that too. >>We use a, we use a term called super cloud, which, which implies a layer that floats above the hyperscale infrastructure hides the underlying complexity of the primitives adds value on top and creates a continuous experience across clouds, maybe out to the edge even someday on prem. Is that, does that sound like, it sounds like that's your strategy and approach and you know, where are you today? And that is that, is that technically feasible today? Is it, is it a journey? Maybe you could describe >>That. Yeah. So, uh, in my title, right, you talked about a security and distribute cloud services and the distribute cloud services came from a really important acquisition. We did last year and it's about, uh, is called Wil Tara. What they brought to F five is the ability not only having lot of the SAS capabilities and delivery capabilities was a very strong infrastructure. They also kept have capability like multi-cloud networking and, you know, people can really just take our solution and say, I don't have to go learn about all the, like I think using super cloud. Yeah, yeah. Is exactly that concept is we'll do all the hard work behind the scenes. You just need to decide what application, what user experience and we'll take care of the rest. So that solutions already in the market. And of course, there's always more things we can do collect more telemetry and integrate with more solutions. So there's more insertion point and customer can have their own choice of whatever other security solution they want to put on top of that. But we already provide, you know, the entire service around web application and API services and bot solution is a big piece of that. >>So I could look at analytics across those clouds and on-prem, and actually you don't have to go to four different stove pipes to find them, is that >>Right? Yeah. And I think you'd be surprised on what you would see. Like you, you know, typically you're gonna see large amounts of unwanted automation hitting your applications. Um, it's, I, I think the reason so many security teams are, are underestimating. The size of the problem is because these attacks are coming from tens of thousands, hundreds of thousands, even millions of IP addresses. So, you know, for years, security teams have been blocking by IP and it's forced the attackers to become highly, highly distributed. So the security teams will typically identify the attack coming from the top hundred or 1500 noisiest IPS, but they missed the long tail of tens of thousands, hundreds of thousands of IPS that are only used one or two times, because, you know, over time we forced the attackers to do this. >>They're scaling. >>Yeah, they are. And, and they're coming from residential IPS now, uh, not just hosting IPS, they're coming from everywhere. >>And, and wow. I mean, I, we know that the pandemic changed the way that organization, they had to think more about network security, rethinking network security, obviously end point cloud security. But it sounds like the attackers as well, not only did they exploit that exposure, but yeah, yeah. They were working from home and then <laugh> >>The human flick farms. They're now distributor. They're all working from home. >>Now we could take advantage >>Of that when I was solving captures, you could do it on your cell phone just by walking around, solving, captures for money. >>Wow. Scary world. But we live in, thank you for helping making it a little bit safer, guys. Really appreciate you coming on the queue. >>We'll continue to work on that. And our motto is bring a better digital world to life. That's what we can set out >>To do. I love it. All right. Great. Having you guys. Thank you. And thank you for watching. Keep it right there. This is Dave ante from reinforce 2022. You're watching the cube right back after this short break.

>>live from Las Vegas. It's the Cube covering Splunk dot com. 19. Brought to You by spunk >>Hey, welcome back. Everyone's two cubes coverage here in Las Vegas for spunk dot com. 19 dot com 19. This is slugs. 10th year doing dot Com Cube seventh year of coverage. We've watched the progression have security data market log files. Getting the data data exhaust turned into gold nuggets now is the centerpiece of data security, data protection and a variety of other great things and important things going on. And we're here to great guests from slug i n songs. Vice president and general manager of security markets and Friedrichs, a VP of security automation. Guys, great to see you again. We just saw you and there's reinforce. Thanks for coming back. >>Thank you for having us. >>So you guys announced security operation Sweet last year. Okay, now it's being discussed here. What's the update? What our customers doing? How are they embracing the security piece of it? >>Wow. Well, it's being a very busy year for us. Way really updated the entire suite. More innovation going in. Yes, six. Tato got announce and phantom and you be a every product is getting some major enhancement for concealing scale. For example, years now way have customers running in the cloud like 15 terabytes, and that's like three X and from It's like 50 terrifies 50 with Search has classes. So that's one example and fend him throughout the years is just lots of capabilities. We're adding a case. Management was a major theme, and that's actually the release before the current one. So we'll be, really, you know, 80 and focusing on that just to summarize sort of sweet right. You be a continue to be machine learning driven, and there's a lot of maturity that's that's going into the product, and there's a lot of more scale and backup. Restore was like one of the major features, because become more mission critical. But what's really, really, really exciting? It's how we're using a new product called Mission Control to bring everything all together. >>I want to get into the Mission control because I love that announcement. Just love The name was behind it, but staying on the sweet when they're talking about it's a portfolio. One of the things that's been consistent every year at dot com of our coverage and reporting has been wth e evolution of a platform on enabling platform. So has that evolves? What does the guiding principles remain? The same. How you guys sing because now you're shipping it. It's available. It's not just a point. Product is a portfolio and an ecosystem falling behind it. You know the APP, showcase, developer, Security and Compliance Foundation and platforms on Just I T ops and A I ops are having. So you have a variety of things coming out of for what's the guiding principle these days is continuing to push the security. You share the vision >>guiding principle and division. It's really way believe the world. As we digitize more as everything's happening, machines speed as people really need to go to analytics to bring insides into things and bring data into doing that's that's really turning that into doing so. It's the security nerve center vision that continue guide what we do, and we believe Security nerve center needs really data analytics and operations to come together and again, I'm gonna tell you, Mission Control is one of the first examples that we bring all of the entire stack together and you talk about ecosystem. It takes a village is a team sport. And I'm so excited to see everybody here. And we've done a lot of integrations as part of sweets to continue to mature more than 1900 AP I integrations more than 300 APS. Justice Phantom alone. That's a lot of automated actions. People can take >>the response from the people in the hallways and also the interviews have been very positive. I gotta get to Mission Control. Phantom was a huge success. You're a big part of building taking that into the world now. Part was flung. Mission Control. Love the name Mission Control. This is the headline, by the way, Splunk Mission Control takes off super sharp itching security operations. So I think Mission Control, I think NASA launching rockets Space X Really new innovation. Really big story behind his unification. You share where this came from, what it is what's in the announcement? >>Yeah. So this is all about optimizing how sock analysts actually work. So if you think about it, a sock typically is made up of literally a dozen different products and technologies that are all different consuls, different vendors, different tabs in your Web browser, so it for an analyst to do their job literally pivoting between all of these consoles. We call it swivel chair syndrome, like you're literally are frantically moving between different products. Mission Control ties those together, and we started by tying slugs products together. So we allow you to take our sin, which is enterprise security, or you be a product's monkey. Be a and phantom, which is our automation and orchestration platformer sore platform and manage them and integrate them into one single presentation layer to be able to provide that unified sock experience for the analyst So it it's an industry first, but it also boosts productivity. Leading analysts do their job more effectively to reduce the time it takes. So now you're able to both automate, investigate and detect in one unified presentation, layer or work surface. >>You know, the name evokes, you know, dashboards, NASA. But what that really was wasn't an accumulation, an extraction of data into service air, where people who were analysts do their job and managed launching rockets. But I want to ask you a question. Because of this, all is based on the underpinnings of massive amounts of volume of data and the old expression Rising tide floats all boats also is rising tide floats, Maur adversaries ransomware attacks is data attacks are everywhere. But also there's value in that data. So as the data volume grows, this is a big deal. How does mission Control help me manage to take advantage of that all you How do you guys see that playing out? >>Yes, Emission control really optimizes the time it takes to resolving incident. Ultimately, because you're able to now orient all of your investigation around a single notable event eso It provides a kn optimal work surface where an analyst can see the event interrogated, investigated triage, they can collaborate with others. So if I want to pull you into my investigation, we can use a chat ops that capability, whether it's directly in mission control or slack integration waken manage a case like you would with a normal case management toe be ableto drive your incident to closure, leveraging a case template. So if I want to pull in crisis communications team my legal team, my external forensics team, and help them work together as well. Case management lets me do that in triage that event. It also does something really powerful. High end mentioned. The operations layer the analytics in the data layer. Mission Control ties together the operational layer where you and I are doing work to the data layer underneath. So we're able to now run worries directly from our operational layer into the data layer like SPL quarries, which spunk is built on from the cloud where Mission Control is delivered from two on premise Face Plunk installations So you could have Michigan still running in the Cloud Splunk running on premise, and you could have multiple Splunk on premise installs. You could have won in one city, another one in another city or even another country. You could have a Splunk instance in the Cloud, and Mission Control will connect all of those tying them together for investigative purposes. So it's very powerful. >>That's a first huge, powerful when this comes back to the the new branding data to everywhere, and I see the themes everywhere, the new colors, new brake congratulations. But it's about things. What do ours doing stuff, thinking and making things happen. Connecting these layers not easy, okay? And diverse data is hard. Thio get access to, but diverse data creates great machine learning. Ay, ay, ay, ay, ay creates great business value. So way see a flywheel development and you guys got going on here. Can you elaborate on that? Dated everywhere And why this connective tissue that you're talking about is so important? Is it access to the war data? Is that flywheel happening? How do you see that playing out? >>I'll start with that because they were so excited where data to everything company or new tagline is turning data into doing. And this wouldn't be possible without technologies like Phantom coming in right way have traditionally been doing really great with enterprise was data platforms. And with an Alex now was phantom. We can turn that into doing now with some of the new solutions around data stream processing. Now we're able to do a lot of things in real time. On you mentioned about the scale, right scales changes everything. So for us, I think we're uniquely positioned in this new age of data, and it's exploding. But we have the technology to help your payment, and it's representing your business way. Have the analytics to help you understand the insights, and it's really the ones gonna impact day today enabling your business. And we have two engine to help you take actions. That's the exciting part. >>Is that what this flywheel, because diverse data is sounds great, makes sense more data way, see better? The machines can respond, and hopefully there's no blind spots that creates good eye. That kind of knows that if they're in data, but customers may not have the ability to do that. I think that's where the connecting these platforms together is important, because if you guys could bring on the data, it could be ugly data on his Chuck's data data, data, data. But it's not always in the form you need. Things has always been a challenge in the industry. How do you see that Flywheel? Yeah, developing. >>Yeah, I think one of the challenges is the normalization of the data. How do you normalize it across vendors or devices, you know. So if I have firewalls from Cisco, Palo Alto Checkpoint Jennifer alive, that day is not the same. But a lot of it is firewall blocked data, for example, that I want to feed into my SIM or my data platform and analyze similarly across endpoint vendors. You know you have semantic McAfee crowdstrike in all of these >>vendors, so normalization >>is really key and normalizing that data effectively so that you can look me in at the entire environment as a single from a single pane of glass. Essentially, that's response does really well is both our scheme on reed ability to be able to quarry that data without having a scheme in place. But then also, the normalization of that data eyes really key. And then it comes down to writing the correlation searches our analytics stories to find the attacks in that data. Next, right. And that's where we provide E s content updates, for example, that provide out of the box examples on how to look for threats in that data. >>So I'm gonna get you guys reaction to some observations that we've made on the Q. In the spirit of our cube observe ability we talked to people are CEOs is si sos about how they cloud security from collecting laws and workloads, tracking cloud APS and on premise infrastructure. And we ask them who's protecting this? Who is your go to security vendors? It was interesting because Cloud was in their cloud is number one if it's cloud are not number one, but they used to clear rely on tools in the cloud. But then, when asked on premise, Who's the number one? Splunk clearly comes up and pretty much every conversation. Xanatos. Not a scientific survey, it's more of it handpicks. But that means it's funk is essentially the number one provider with customers in terms of managing those workloads logs across ABS. But the cloud is now a new equation because now you've got Amazon, Azur and Google all upping their game on cloud security. You guys partner with it? So how do you guys see that? How do you talk cutters? Because with an enabling platform and you guys are offering you're enabling applications. Clouds have Apple case. So how do you guys tell that story with customers? Is your number one right now? How do you thread that needle into this explosive data in the cloud data on premise. What's the story? >>So I wish you were part of our security super session. We actually spent a lot of energy talking about how the cloud is shifting the paradigm paradigm of how software gets billed, deployed and consumed. How security needs to really sort of rethink where we start, right? We need to shift left. We need to make sure that I think you use the word observe ability, right? T you got to start from there. That's why as a company we bought, you know, signal effects and all the others. So the story for us is start from our ability to work with all the partners. You know, they're all like great partners of ours AWS and G, C, P and Microsoft. In many ways, because ecosystem for cloud it's important. We're taking cloud data. We're building cloud security models. Actually, a research team just released that today. Check that out and we'll be working with customers and building more and more use cases. Way also spend a lot of time with her. See, So customer advisory council just happened yesterday talking about how they would like us to help them, and part of that they were super super excited. The other part is what we didn't understand how complicated this is. So I think the story have to start in the cloudy world. You've gotto do security by design. You gotta think about automation because automation is everywhere. How deployment happens. I think we're really sit in a very interesting intersection off that we bring the cloud and on prime together >>the mission, See says, I want to get cameras in that room. I'm sure they don't want any cameras in the sea. So room Oliver taking that to the next level. It's a complexity is not necessarily a bad thing, because software contract away complexity is from the history of the computer industry that that's where innovation could happen, taking away complexity. How do you see that? Because Cloud is a benefit, it shouldn't be a hindrance. So you guys were right in the middle of this big wave. What? You're taking all this? >>Yeah. Look, I think Cloud is inevitable. I would say all of our customers in some form or another, are moving to the cloud, so our goal is to be not only deliver solutions from the cloud, but to protect them when they're in the cloud. So being able to work with cloud data source types, whether it's a jury, w s, G, C P and so on, is essential across our entire portfolio, whether it's enterprise security but also phantom. You know, one exciting announcement that we made today is we're open sourcing 300 phantom maps and making making him available with the Apache to get a license on get hubs so you'll be able to take integrations for Cloud Service is, like many eight of US service is, for example, extend them, share them in the community, and it allows our customers to leverage that ecosystem to be able to benefit from each other. So cloud is something that we work with not only from detection getting data in, but then also taking action on the cloud to be. Will it protect yourself? Whether it's you, I want to suspend an Amazon on your instance right to be able to stop it when it's when it's infected. For example, right those air it's finishing that whole Oodle Ooh and the investigate monitor, analyze act cycle for the cloud as we do with on from it. >>I think you guys in a really good position again citizen 2013. But I think my adjustment today would be talking to Andy Jackson, CEO of AWS. He and I always talk all the time around question he gets every year. Is Amazon going to kill the ecosystem? Runs afraid Amazon, he says. John. No, we rely on third party. Our ecosystem is super important. And I think as on premises and hybrid cloud becomes so critical. And certainly the Io ti equations with industrial really makes you guys really in a good position. So I think Amazon would agree. Having third party if you wanna call it that. I mean, a supplier is a critical linchpin today that needs to be scalable, >>and we need equal system for security way. You know, you one of the things I shared is really an asymmetric warfare. Where's the anniversary? You talk about a I and machine learning data at the end of the day is the oxygen for really powering that arm race. And for us, if we don't collaborate as ecosystem, we're not gonna have a apprehend because the other site has always say there's no regulations. There's no lawyers they can share. They can do whatever. So I think as a call to action for our industry way, gotta work together. Way got to really sort of share and events or industry together. >>Congratulations on all the new shipping General availability of E s six point. Oh, Phantoms continue to be a great success. You guys on the open source got an APB out there? You got Mission Control. Guys, keep on evolving Splunk platform. You got ABS showcase here. Good stuff. >>Beginning of the new date. Excited. >>We're riding the waves together with Splunk. Been there from day one, actually 30 year in but their 10th year dot com our seventh year covering Splunk. I'm John Ferrier. Thanks for watching. We'll be back with more live coverage. Three days of cube coverage here in Las Vegas. We'll be right back.

>> Live from Boston, Massachusetts. It's theCube. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone. Welcome back to the live Cube coverage here in Boston, Massachusetts for AWS, Amazon Web Services Reinforce with their inaugural conference around security, I'm (mumbles). We've got two great guests, from Splunk, Cube alumnis, and also, we do the Cube coverage Dot Conf., their annual conference, Haiyan Song, SVP, General Manager Security Market, Oliver Freidrichs, Vice President of Security Products, formerly with a company you sold to Splunk, doing Security Phantom, which was mentioned in the partner summit, so congratulations. Great to see you guys. >> Thank you. >> Thank you for having us. >> So you guys are a really great example of a company that's been constantly innovating, on top of AWS, as a partner, differentiating, continuing to do business, and been successful. All the talk about Amazon could compete with partners, there's always been that myth. You guys have been operating successfully, got great customers on AWS, now you have the security conference, so now it's like a whole new party for you guys. 'Cause you don't go off to reinvent anymore, certainly, the big event, what do you guys think about all this Reinforce focus? >> First of all, I'm just super impressed. The size, the scale, and the engagement from the ecosystem that they have over here, and I think, you know you mentioned we've been really partnering and being successful. I think the secret is really about, just be very customer-focused. It's about what the customer needs, it's not what does each of us need, and when we have that focus, we know how to partner, we know how to engage. One of the examples that we have here is we're partnering up as the capture the flag exercise and it's powered by Splunk, it's put up by AWS Reinforce, and we wanted to bring the best user engagement, gamification of learning to this audience. >> And there's a demand for a security conference because a new breed, a new generation of engineering and enterprises as they move to DevOps, with security, all those same principals now apply, but the stakes are higher because you got to share data, you got to get the data, it's the data-driven problem. You guys are thinking outside-- I think four years ago at Dot Conf, the cyber security focus front and center, mainstream. >> Very much so. And I think for us, security is a big part of our user conference, too. But we're getting inspirations from this event and how we can further, really implify that message for our customers. But we're just so glad we're part of this, thank you for having us. >> We're glad, big love covering you, big success story. Oliver, I want to get to you on the Phantom. Yesterday it was mentioned in a great demo of the security hub, security hub's the big news here, it's one of their major announcements, what is a security hub? >> Yeah, so security hub, and you're right it was just announced that it reached general availability, which means it's available now to the rest of the world. It's a place to centralize a lot of your security management in AWS. So when you have detections, or Amazon calls them findings, coming from other security servers so they're centralized in security hub, where you can then inspect them, take action, investigate them. And one of the reasons we're here, is we've established an integration with security hub, where you can now take a finding coming from security hub, pull it into Splunk Phantom, and run an automation playbook to be able to, at machine speed, take action on a threat. So typically, you know if you're a human, you're looking at an event, and you're deciding what do I do, well I might want to go an suspend an AMI or go and move that AMI or change the access control group to a different access control group so that AMI can only communicate with a certain protected network if it's infected. Automation lets you do that instantaneously, so if you have an attacker who unfortunately may have gained control of your AMI, this allows you to react immediately, very very quickly to take action in that environment. >> And this is where the holes are in the network, and its administrative errors and (mumbles) sittin' out there that someone just configure it, now they're like, they could be out there, no one knows. >> Exactly. >> Could be just tired, I didn't configure it properly. But you guys were in the demos, I want to get your reaction that, because I was sittin' in the room, they highlighted Phantom in the demo. >> That's right. >> And so that was super important. Talk about that integration. What's actually going on under the covers there. >> Yeah, so at a basic level, we're pulling findings through the security hub API, into the automation platform. And then at that point, a playbook kicks off. And a playbook is basically, think of it as a big if this/then that statement. You see a threat, and you go and take a number of actions. You might go and block a port, you might go an suspend that AMI, you might go and disable a user, but you basically build that logic up based on a known threat, and you decide, here's what I'm going to do when I see this threat, and I'm going to turn that into a codified playbook that you can then run very rapidly. On the back end, we've had to integrate with a dozen other APIs like EC2, S3, Guard Duty and others to be able to take action in the environment as well to remediate threats, like changing the access control list or group on a resource. So it's closing that end-to-end loop. >> Hold on, Dave , one quick question on that followup. Then the SISO came in from Capital One and was off the record with this comment, was not really a sensitive comment, but I want to highlight and your both reaction to this. He says in terms of workforce and talent, mentality, 'cause the question came up about talent and whatnot, he sees a shift from better detection to better alerts, because of some of the demos, and implying, kind of connecting the dots, that the trend is to automate the threat detections the way you guys had demoed with Phantom, and then he was tying it back to, from a resource perspective, it frees his team up to do other things. This is a real trend. You agree with that statement? >> Absolutely. >> What's your thoughts? >> Honestly, we believe that we can be automating up to 90% of the level one analysts. There's a lot of routine route work that's done today in the SOC, and it's unforgiving, nobody wants to be a Tier One analyst, they all want to get promoted or go somewhere else, because it's literally a rat race. >> It's boring and it's repetitive, you just automate it. >> Who wants to do that, so we can automate that, we can free up about 50% of the analysts' time to actually focus on proactive activities, things that actually matter, like hunting, research and other development, writing counter-measures, versus the continually keeping up and drinking from a fire hose. >> So I wonder if we could talk about how Splunk has evolved. You guys started before cloud, which came in 2006 and then really took off later, before the sort of big data craze, and you guys mopped up in big data. You never really use that term in your marketing, but you kind of became the big data leader defacto, you got an IPO with actually relatively, by today's comparisons, small raises, >> Compared to today, yeah, yeah (laughs). >> Incredibly successful story, very capital-efficient. But then the cloud comes in, you mopped up on prem, how would you describe how the cloud has changed your strategy, obviously you go out an acquire companies heavily focused on automation, but how would you describe your cloud strategy and how has that changed Splunk? >> That's a great question. I think the fact that you have so many people here, just tells you that the whole industry is going through this transformation. Not only the digital transformation, the cloud transformation. And I'm glad you mentioned our root, it's all about big data, and nowadays security, in many ways, is actually more about data than anything else. 'Cause the data represents your business, and you protect your data, how do you leverage the data, represents your security strategy. The evolution for us, when you zero that into cloud is, we have really been a very early adopter of cloud, we've been providing cloud services for our customers from the very beginning, at least six years ago when we introduced a product called Storm and we continued to evolve that as the technology evolved, we evolved that with customers. So nowadays you probably know cloud is one of our fastest-growing segments of our business. The technology team has been really innovating, really really fast. How do we take a technology that we built for on-prem, how do we rebuilt it to be cloud-native, to be elastic, to be secure in the new way of DevOps. Those are some of the super exciting things we're doing as a company, and on the security side we're also, how do we help customers secure a hybrid world? 'Cause we truly believe the world going to stay hybrid for a long long time and we have companies like AWS really sort of pioneering and focusing and doing things great for the cloud, we still have a lot of customers who need companies and technologies and solutions like what Splunk bring in to bridge the world. >> I want to get you guys' thoughts on some comments we've had with some SISOs in the past, and I really can't say the names probably, but one of them, she was very adamant around integration. And now when you're dealing with an ecosystem, integration's been a big part of the conversation, and the quote was, on integration, "have APIs and "don't have it suck." And we evaluate peoples' integration based upon the qualities of their APIs. Implying that APIs are an integration point. You guys have a lot of experience with APIs, your thoughts on this importance of integration and the roles that APIs play, because that's, again, feeds automation, again it's a key, central component of the conversations these days. Integration, your reaction to that. >> So, maybe I'll start. I'd say we would not have had the success of Phantom Cyber or the Soar market, if not for having those APIs. 'Cause automation was not a new concept. It's been tried and probably not succeeded for many times, and the reason that we've been experiencing this great adoption and success with Phantom technology is because the availability of APIs. I think the other thing I would just add, I'm sure he has lot of experience in working that, Splunk was always positioned ourself as we want to be the neutral party, to bring everything together. And nowadays we're so glad we're doin' the integration, not only on the data side, which is still important. Bring the data, bring the dark data and shining a light on top of that, but also turning that into action through this type of API integration. >> So good investment, betting on integration years ago. >> Absolutely. >> Early on. >> We also change our culture. We previously say how many apps we have in our Splunk base. Now with Oliver being part of the team, Phantom being part of the portfolio, we say how many apps and how many APIs we had to integrate. That a change of metrics. >> All right, Oliver. It's up to you now. I'm sure you know I know where you stand on this, APIs being, a renaissance of APIs going to the next level, 'cause a lot of new things goin' on with Kubernetes and other things. You've got State now, you got Stateless, which is classic rest APIs, but now you got State data that's going to play a big role. Your thoughts on that, don't make the APIs suck, and we're going to evaluate vendors based upon how good their API is. >> Yeah, I think, look it's a buying decision today. It's a procurement decision whether or not you have open APIs. I think buyers are forcing us as an industry, as vendors, to have APIs that don't suck. We're highly motivated to have APIs that work well. >> That sounds like a t-shirt ready to come out (laughs) >> That's a great idea. >> The Cube API's coming, by the way. >> What does that mean, to have APIs that don't suck? >> So the, a great definition I heard recently was, the API that you use as a vendor to interface with your product should be the same API that customers can use to interface with your product. And if all of a sudden they're different, and you're offering a lesser API to customers, that's when they start sucking. As long as you're eating your own dog food, I think that's a good definition. >> So it's not neutered, it's as robust, and as granular. >> Exactly, exactly. And I think what, 20 years ago there were no APIs in security. To do what we do today, to automate all of this security response techniques that we do today, it wasn't even possible. We had to get to a certain level of API availability to even get to this stage. And today, again, unless, if you're a black box, people aren't going to buy your product anymore. >> Yeah, so, again, go the next level is visibility's another topic. So if you open the APIs up, the data's gettin' better, so therefore you can automate the level one alert, threat detections, move people up to better alerting, better creativity, then begs the question, at what point does the visibility increase? What has to happen in the industry to have that total shared environment around data sharing, because open APIs implies sharing of data. Where visibility could be benefited greatly . >> Yeah, I think visibility is really the key. You can't measure what you can't, you can't manage what you can't measure, and you can't, you have to see everything in your environment, your assets, users, devices, and all of your data. So visibility is essential. And it comes in a number of forms. One is getting access to your policy data, your configuration data, seeing how are my things configured? What assets do I have? Where are my S3 buckets? How many AMIs do I have? Who owns them? How many accounts do I have? I think that was one of the challenges before, probably the last three to four years, before that period, enterprises were setting up a lot of these shadow cloud environments, 'cause you could buy Amazon with your credit card, essentially. So that was one of the problems that we would see in the enterprise, when a developer would go and create their own Amazon environment. So getting visibility into that is really been a big advancement in the last few years. Finding those things. >> The birth of multi-cloud. Go ahead John. >> Doesn't make it easier. >> We were talking earlier in our intro Dave and I on the keynote analysis around you can configure it, you can secure it, and then we were riffing on the DevOps movement, which essentially decimated the configuration management landscape. Which was at that time a provisioning issue around developers. They'd have to essentially stand up and manage the network, and go and make sure the ports are all there, and they got load balances are in place, and that was a developer's job. Infrastructure as code took that away. That was a major bottom, hierarchical needs, that was the lowest need. Now with security, if DevOps can take away the configuration management and infrastructure as code, it's time for security to take away a lot of the configuration or security provisioning, if you will. So the question is, what are some of those security provisioning, heavy liftings, tasks that are going to be taken away when developers don't have to worry about security? So as this continues with cloud native, it becomes security native. As a developer, and I don't want to get in and start configuring stuff. I want the security team to magically, security as code, as Dave said. Where are we on that? What's your guys' thoughts on getting to that point? Is it coming soon? Is it here now? What are some of those provisioning tasks that are going to be automated away? >> I think we made a lot of progress in that area already. The ability to simply configure your environment, that Amazon has continued to add layers of check boxes and compliance that allow you to configure the environment far more seamlessly than having to go down into the granular access control list and defining a granular access control policy on your network ports or AMIs, for example. So I think the simplification of that has improved pretty dramatically. And even some of the announcements today in terms of adding more capabilities to do that. Encryption by default. I don't have to go configure my encryption on my data at rest. It's there. And I don't even have to think about it. So if someone steals a physical hard drive, which is very difficult to begin with, out of an Amazon data center, my data's encrypted, and nobody can get access to that. I don't even have to worry about that. So that's one of the benefits that I think the cloud adds, is there's a lot of default security built in that ends up normalizing security and actually making the cloud far more secure than traditional corporate environments and data centers. >> Well I still think you have to opt in, though. Isn't that what I heard? >> Opt in, yes. I would just add to that, I think it's like a rising tides. So the cloud is making lot of the infrastructure side more secure, more native, and then that means we need to pay more attention to the upper level applications and APIs, and identities, and access controls. I think the security team continue to have lot of jobs. Even yesterday they said well, not only we need to do what we need to do to secure the AWS, we also now get involved in every decision, all the other compa-- you know, like functions are doing, taking new sort of SASS services. So I guess message is the security professional continue to have jobs, and your job going to be more and more sophisticated, but more and more relevant to the business, so that I think is the change. >> So question. Oliver, you described what a good API experience is, from a customer perspective, Haiyan, you talked about hybrid. Can you compare the on prem experience with the cloud experience for your customers and how and they coming together? >> You want me to try that first? >> Sure. >> Okay. So, I think lot of the things that people have learned to protect or defend, or do detection response in the on prem world, is still very relevant in the cloud world. It's just the cloud world, I think it's just now really transforming to become more DevOps-centric. How you should design security from the get-go, versus in the on prem world was more okay, let's try to figure out how to monitor this thing, because we didn't really give lot of thoughts to security at the very beginning. So I think that is probably the biggest sort of mentality or paradigm shift, but on the other hand, people don't go and just flip into one side versus the other, and they still need to have a way of connecting what's happening in the current world, the current business, the one that's bring home the bacon, to the new world that's going to bring home the bacon in the future. So they're both really important for them. And I think having a technology as AWS and their whole ecosystem, that all embracing that hybrid world and ecosystem plate no one sort of single vendor going to do all of them, and pick the right solutions to do what you do. So in security, I think it's, you going to continue to evolve, to become more, when the security's built in, what is the rising tide that's going to dictate the rest of the security vendors do. You cannot just think as 10 years ago, five years ago, even two years ago. >> So that bolt-on mentality in the first decade of the millennium was a boon for Splunk. It was beautiful. 'Cause we got to figure out what happened, and you provided the data to show that. How does Splunk differentiate from all the guys that are saying "oh yeah, Splunk, they're on prem, we're the cloud guys." What's your story there? >> Our story is you can't really sort of secure something if you don't have experience yourself. Splunk cloud is probably one of the top, say 10 customers of AWS. We live in the cloud, we experience the cloud, we use the word drink, you know, like eat our own dog food, we like to say we drink our own champagne, if you will, so that's really driving lot of our technology development and understanding the market and really built that into our data platform, build that into our monitoring capabilities, and build that into the new technologies. How, you know, it's all about streaming, it's not about just somebody sending you information. It's about, in a hybrid world, how do you do it in a way that you, we have a term called the distributed data fabric search, because data is never going to be in one place, or even sort of in one cloud. How do we enable that access so you can get value? From a security perspective, how do we integrate with companies and solutions that's so native into the cloud, so you have the visibility not and the Bodong, but from the very beginning. >> So you're saying that cloud is not magic for a software company, it's commitment and it's a cultural mindset. >> Absolutely. >> Guys, thanks so much for comin' on, great to see you, we'll see you at Dot Conf, the Cube will be there this year again, I think for the seventh straight year. Oliver, congratulations on your product success, and mention as part of the AWS security hub presentation. >> Thank you. >> Good stuff from Splunk. Splunk is inside the Cube, explaining, extracting the signal from the noise, from one of the market-leading companies in the data business, now cyber security, I'm with (mumbles), we'll be back with more Cube coverage after this short break. (techno music)

(upbeat music) >> Announcer: Live from Orlando Florida, it's theCUBE, covering .conf18. Brought to you by Splunk. >> Welcome back to .conf18 everybody. I'm Dave Vellante with Stu Miniman, and you're watching theCUBE, the leader in live tech coverage. We love to go out to the events, extract the signal from the noise. A lot of focus today, Stu, on security and Haiyan is here. Haiyan Song is the Senior Vice President and General Manager of Security at Splunk. Great to see you again. >> Thank you for having me. >> You're very welcome. Fifth time I think for you on theCUBE So you're super alum. And really always appreciate your deep knowledge. As I said, today was security day. A lot of customers talking about security. It's obviously a strong hold of Splunk. But, give us the update. What's new this year with you? We talked a year ago in D.C. What's happening with you guys? >> Well this is the year that we really went out and shared our vision of what SOC looks like in 2020. And we call it the Vision of SOC 2020. And on a very high level, we envision that in a couple of years with the technology like analytics, and operations, automation, orchestration, we envision that 90% of the Tier 1 work that a SOC analyst would be doing will be automated. And with that automation we are envisioning that most of the time, more than 50% of the time, the SOC analyst can actually focus on detection logic and really responding to things, that requires the human skills and insights. And we're also envisioning that by that time, there will be a place, one place, where things for response gets orchestrated versus people have to go to twenty different places trying to figure out what's going on. So, that sort of, from a business perspective but to deliver that, there's really, sort of ten, we share the ten big we call it core capabilities, that capability road map to SOC 2020. And for us, we feel really fortunate that with the acquisition of Phantom, we are really able to bring that full stack together, to deliver that capability. So we have data platform. You heard all the exciting news on what we are doing, with data fabric search, stream processing, and amplifying the performance analytics. You heard all those things that we're putting into IT, and security, ES, UBA, and then last but not least is the ability to orchestrate, to automate, to collaborate. So I think we're really uniquely positioned, because we can bring all three together. That's the full stack to deliver on that vision. >> So let's talk a little bit more about that vision. So, I mean my rudimentary understanding is you really had a reactive mode in the past. It's kind of herding cats, trying to figure out, okay I'm going to to try to respond to an incident. Then you started to use data and analytics to try to prioritize, to focus on those things that aren't going to be a false positive or of high value. What you're putting forth is a vision where a lot of that heavy lifting goes away. Machine intelligence is either augmenting, or making decisions about which items to go after. Talk more about that world. What does it look like? What's the role of the security professional in that new world? >> Yeah, there's two parts we do in the Security Operations Center. Detecting things and responding things and taking care of sort of the incidents. So a lot of the things you really touched on is how we have applied machine learning and analytics and really leveraging the business context. The feature we talked about, the distribute, the data fabric search is a really powerful tool. Now we can reach out and get lot more information to help you make better decisions to reduce the reshow of noise to signal, or signal to noise, and whichever way you want to see it up and down. So, that world we expect more machine learning, more data modeling, more threat modelings so we can really sort of incorporate business, sort of context, so risks become a one key thing to help people prioritize. That's our product ES, and UBA, and you heard about the whole predictive capabilities in IT. I think all of those will be sort of that world. And the second part of what we do is if something does happen now we really got the signal. What do you do about it? We envision that world lot of initial men did prep work. Like, oh I want to find out if this ID belongs to which organization? Is this really a signature in the virus total, sort of database and what happened, so that whole prep hopefully, will be done for you before you even get started into an incident. And furthermore, if we have responded to those type of incidents before, we actually would like to give you a recommendation, this is what happened before, this is what worked, and why don't you think about this playbook and automate this part? So, I think the world in 2020, is going to be a lot of augmentation. >> One of the things we've heard from a number of your customers, is security in DevOps and how they are using the DevOps mentality to make security more pervasive and integrated in everything they do. Could you explain how Splunk fits into that discussion? >> Yeah, so DevSecOps, I think that's, sort of, the term you might be eluding to and I think the cloud adoption, the acceleration, and the new IT is really, sort of, bringing that into focus for us. Splunk plays to that in several ways. We have a security business, we have a IT business, and you may have heard we just acquired another company called VictorOps after Phantom. So they're really helping the DevOps world and try to coordinate and enable collaboration. So we definitely expect that capability will show up in the security side to help the DevOps, DevSecOps' world and we are also, as a company, taking data security really seriously. So we are putting a lot of, you know, you saw the data stream processing and one of the capabilities to obfuscate credit card and for GDPR and a lot of other things, there's that mending. You got to give people the control of things so there is a lot of that. We're taking into consideration and putting that into the product and the other thing is, really, we ourselves operate probably one of the biggest, sort of, cloud capabilities on AWS and we have infused a lot of best practices around, how do you automate? How do you protect? How do you be compliant? And how do you insure customer have control? And there's a lot of work we're doing there and practicing DevSecOps ourselves. >> Haiyan, in thinking about the Splunk portfolio and in the context of the vision that you guys laid out, how does Splunks existing portfolio fit in to that vision and where are the gaps? What has to evolve, whether it's your capabilities, or the industry's MI, ML, or machine learning capabilities? Where are the gaps? >> So I think in many ways the ten core capabilities were laid out. I going to try to go through them in my head. So. >> Okay. >> Ingest. Detect. Predict. and then automate. Orchestrate. Recommend. Investigate. Case Management. Collaborate. And reporting. So those are the ten. When we were sharing with our audience, we actually look at our ES, UBA, and Phantom. We are able to give them all those capabilities to get started on their path for SOC 2020. But we also realize and recognize that all those capabilities, I'll give you an example, Case Management, now there is more and more requirements coming to the security side to say I want you to bring all the different things together, and I want you to take in the automated playbooks and how this plays into those, so there's always room for us to continue to enhance those capabilities. But, we also see the opportunity for us to bring all those things in a more seemless way into, sort of, one full stack, the full stack that gives you, you know, I don't know if you heard the term, powering the OODA Loop? Right, the observe, orient, decide, and act. And that was really, sort of, military strategy for the fighter pilots to say the whole premise is whoever can power that loop, and execute the fastest, wins. >> It's like readying fire but more data focused. >> More data focused, I like that. So for us, it's really how do we bring the portfolio together, so they can really power that loop in a very intuitive way. And in a very open way. I want to make sure that I iterate that reiterate our commitment to be open. There's data layer, there is analytics layer, there's operational layer. We want to be that company can bring the full stack make them work really well. But, in the meantime work well with other data, with other analytics, detection engines, and other ways to operate. So being open is very important. >> And you'll automate as many of those or all of those ten that you mentioned. Do you automate the run book? >> Automated run book is what Phantom is all about and the run book gets more and more sophisticated and I think we give people the ways to say if on day one, you don't want to automate everything, especially shutting down his email, then you have the choice. But, it's as you learn, as you become more confidence, and you have that under your control. How much you want to automate, and hopefully, as more automated actions are taken, we get to analyze those and start making recommendations so you become more comfortable with that. >> So I understand New York Presbyterian was in your session. And, you were talking about going beyond security. I often like to say that security and privacy are two different sides of the same coin. But, when they talked about going, well share with us, what you learned from them. >> Yeah you have really the best phrase to say they are both sides and as a security professional in the digitized world I don't think you have a boundary to say my job starts with SOC and ends with SOC. It goes way beyond. It goes into data privacy. It goes into even fraud analytics, because a lot of things are happening online. It also goes into compliance. And, it's interesting that we thought years ago, compliance was driving investment. I think now with GDPR, with some of the data privacy challenges we've seen, that's impacting the masses, the criticalness of compliance is actually coming back. So the story that I was super impressed that our customer, New York Presbyterian shared with us is they had a challenge of really managing all this sort of patient records, and try to understand the staff's activities. Because, the auditors have a certain set of things. You know you shouldn't be snooping around the patient's record, if its your neighbor, or your buddy. So they used Splunk and they powered, sort of, us with a lot of the data from various applications. They have probably 20 data sources, that's very healthcare centric. We partnered up, we had our product expert, and fraud experts on that. And, we built a privacy platform, a early version of that, and they showed it to their privacy officers, and they basically said we've not seen anything like this to give us the flexibility and ease of use to be able to bring everything together. And, they did even more than that. If you have time I'll share with you on the opiate diversion capabilities they started building with. >> Dave: Oh, yeah talk about that, yeah please >> So we were thinking, we're just going to help them with compliance that makes their organization more compliant and better, but they didn't stop there. They said well, based on the power we're able to, really, leverage from the Splunk platform, we see the data we have for our pharmacies, there's a lot of prescription, sort of, information and with the world that's battling the opiate epidemic, we think we can actually analyze the data and give us early patterns and earnings, warnings of what might be happening. So, that's the next project we're partnering up. And for us we have technology, and customer have domain knowledge, have data. I think that's a great partnership. And they are willing, they are wanting us to go evangelize 'cause they want the whole industry to benefit, they want the nation to benefit. >> Well we saw this week on 60 Minutes, did you see that story? The one pharmaceutical company got in big trouble and a doctor went to jail. The pharmaceutical company was shipping 500 million Oxycontin pills into Florida. This is a state with a population of 20 million. Something was wrong. Obviously those were hitting the streets. And, this individual this doctor went to jail for life. So, data analysis could identify that. >> Data was there. I think it's the inside to look for the ways, to look for those things and having that inside drive decisions is really the partnership we have with our customers >> We're seeing that, g'head Stu. >> Yeah I was just, you spoke on a panel of the Grace Hopper event. >> Haiyan: Last week. >> We've been hearing great messages of diversity at this show. You had the Carnival Cruise CEO up on stage giving some great discussion points yesterday. Maybe you could share a little bit of your experience at the show and the panel that you were on. >> The Grace Hopper is such an amazing event and we see so many college grads and people, sort of, starting their career and that is like the go to place. And I see all the big companies, big, or small actually, putting so much effort to try to really evangelize to that audience. 'Cause California just passed, the Governor just signed into law, they require a woman on the board, as part of the requirements because diversity is being proven to bring better decision making into the board and I, myself, can tell you that my security leadership team over the years become more and more diverse. I don't think diversity is just gender diversity. I think diversity needs to go beyond gender. It's background where people who are from the private sector, from the government, where people from different Geo's of the world. That sort of richness of perspective always give us the best, sort of, angles to think about and validating, and debating on our, sort of, strategies. And going back to Grace Hopper, the panel that I was on was really sharing with the people who are there, what are some of the things that you should be prepared for if you want a cyber security career. And the part is not try to, oh here's a high bar. We really try to encourage everyone, whether you're technical, or you just having great analytical skills. I think one of my fellow panelist, she made a comment I thought was super funny. She was a CEO of a company and she said, sometimes women just have to have enough confidence and to go take the risk, grab the opportunity. She use the word, sometimes you have to fake it until you prove it and until you make it. And she's really just encouraging the attendees, just step up take the opportunity. I am in total agreement with that. >> Lean in baby. >> Lean in. That's another way to do it. >> Haiyan thanks so much for coming back in theCUBE. Really great to see you again. >> Thank you for having me. >> You're very welcome. All right, keep it right there everybody. Stu and I will be right back with our next guest. Right after this short break. We're live from Orlando, Splunk .conf18 You're watching theCUBE. (upbeat music)

>> Announcer: Live from Washington DC, it's theCUBE, covering .conf2017, brought to you by Splunk. >> Well good morning, welcome to day two, Splunk .conf2017 here in Washington DC, theCUBE very proud to be here again for the seventh time I believe this is. John Walls, Dave Vellante. Good morning, sir, how are you doing, David? >> I'm doing well thank you. >> Did you have a good night? >> Yeah, great night. >> DC, I know your son's here >> Walked round the district a little bit, yeah, it was good. >> It's good to have you here. >> At the party last night upstairs, (John laughs) talked to a few customers, trying to find out what they didn't like about Splunk, and it was not a lot of things. >> That would be a short conversation I think. We can do us, we got a couple of keynote rockstars with us this morning, Haiyan Song, who's the Senior Vice President of Security Markets at Splunk. Haiyan, good to see you again. >> Great to see you too. >> John: Thanks for coming back, Monzy Merza, who was the Head of Cybersecurity Research at Splunk. >> Thank you for having me. >> John: Monzy, commanding the stage with great acumen today, good job there. >> Monzy: Thank you. >> Yeah we'll get into that a little bit later. But first off, let's just kind of set the table here a little bit. I know this is a bit of transformational year for you in terms of security, in how you're building out your portfolio, and your services, and so kind of walk us through that. What are you doing, Haiyan, in terms of, I guess being available, right, for whomever, whenever, wherever they are in their security journey you might say. >> Journey is the keyword this year, and nerve center is another one that I highlighted at my super session yesterday. So when I reflect on, this is your seventh year, and when I reflect on the last three years, right, we came in and really talked about the enterprise security product on the first year. And second year we talked about, you know, how UBA adds to the capabilities for better detection and machine learning. We introduced different features. This year we didn't start the conversation on, "Here's a new feature". This year we started the conversation on you need to build a security nerve center. That's the new defense system. And there's a journey to get there, and our role is to enable you on that journey every step of the way. So it's portfolio message, and not only for the very advanced customers, who want machine learning, who want to customize the thread models. Also for people who just started, to say I have the data, and help me get more insight into this, or help me understand how leverage machine data across domains to really correlate and connect the dots, and do investigations. Or what are the important things to set up the basic operations. Very, very excited about the ability, transformational year, as you mentioned, that we can bring the full portfolio to our customer. >> So, Monzy, you've said in your keynote today, defenders can succeed. We talked off camera, you're an optimist. And all we need is this nerve center. So to date, has that nerve center been missing, has it been there and people haven't been able to take advantage of it, have the tools been too complicated? I wonder if you could unpack that a little bit? >> I think what's happened over the course of many years, as the security ecosystem matures and evolves, there are a lot of expert technologies in a variety of different areas, and it's a matter of bringing those expert technologies together, so that the operations teams can really take advantage of them. And you know, it's one thing to have a capability, but it's another to leverage that capability along with another capability and combine the forces together, and really that's the message, that's Haiyan's message, that's been there for the nerve center, that we can bring together. And so when I say the defender has an advantage, I mean that, because I feel that the operations teams, the IT teams, as well as the security teams, have laid out a path, and the attacker cannot escape that path. You have to walk down a certain path to get to something to achieve or to steal or to do whatever, or damage that you need to do. So when you have a nerve center, you can bring all the instrumentation that's been placed along those path to make use of it. So the attacker has to work within that terrain. They cannot escape that terrain. And that's what I mean, is the nerve center allows for that to occur. >> Now you guys have talked for a long time about bringing analytics and security, those worlds together. We've always been a big obviously proponent of that, but spending's just starting to shift, right. They're still spending a lot of money on the perimeter. I guess you have to. We all see the numbers, security investments continue to increase. But where are we today with regard to analytics and being able to proactively both identify and remediate? >> So I just echo what you just said. I'm so pleased to see the industry started the shifts. I think being analytics-driven is really top of mind for people, and using machine learning automation to help really speed up the detection and even response are top of mind. We just did a CISO Customer Advisory Report on Monday, and we always ask when we start the meetings, "Tell us your top of mind challenges, "tell us your top of, you know two investment, and what's the recommendation for Splunk?" And better, faster response, better faster detection and automation and analytics is top of mind for everybody. So for us, this year, extremely, extremely happy to talk about how we're completing that narrative for analytics-driven security. >> Well on that point, you talk about analytics stories, and filling gaps, putting an entire narrative together so that somebody could loosen up the nuts, and they can see exactly where intrusions occur, what steps could be taken, and so on and so forth. So, I mean, dig a little deeper on that for us, maybe Monzy, you can jump on that, about what this concept of analytics stories, and then how you're translating that into your workplace. >> We thought about this for quite some time in terms of drilling down and saying, as analysts and practitioners, what is it that we desire? The security research team at Splunk is composed of people who spend many, many years in the trenches. So what do we want, what did we always want, and what was hard? And instead of trying to approach it from the perspective of, you know, let's just connect the dots, really take an adversarial model approach to say, "What does an adversary actually do?" and then as a defender, what do I do when I see certain things happening? And I see things on the network, I see things on the end point, and that's good, and a lot of people talk about that. But what do I do next? As the analyst, where do I go, and what would be helpful to me? So we took this concept of saying, let's not call them anything else, we actually fought over this for quite some time. These are not use cases, because use case has a very different connotation. We wanted stories because an adversary starts somewhere, adversary takes some action. The defender may see some of that action, but then the defender carries on and does other things, so we really had this notion of a day in the life, and we wanted to capture that day in the life of the prospective of what's important to their business, and really encapsulate that as a narrative, so that when the analysts and security operations teams get their hands on this stuff, they're not bootstrapping their way through the process. They have a whole story that they can play through, and they can say, and if it doesn't make sense to them, that's okay, they can modify the story, and then have a complete narrative to understand the threat, and to understand their own actions. >> So we hear the stat a lot about how long it takes for organizations to identify an intrusion. It ranges I've been seeing, you know, service now flashing 191, I've seen it as high as 320. I'm not sure there's clear evidence that that number's compressing. I think it's early days there, but presumably analytics can help compress that number, but when I think about things like, you know, zero day signatures, and other very high tech factors that are decades old now. Can analytics help us solve those problems? Can the technology, which kind of got us into this mess, get us out of the mess? (Monzy and Haiyan laugh) >> That's such a great point. It is the technology that just made our lives so much easier, as you know, living, and then it complicate it so much for security people. I'll give you a definitive yes, right. Analytics are there to help detect early warning signs, and it will help us, may not be able to just change the stats right now for the whole industry, I'm sure it's changing stats for a lot of the customers, especially when it comes to remediation. The more readily available the data is for you when you are sort of facing an incident, the faster you can get to the root cause and start remediate. That we have seen many of our customers talk about how it was going from weeks to days, days to hours, and that includes not just technology, but also process, right? Process streamline and automating some of the things, and freeing up the people to do the things that they're great at, versus the mundane things, trying to collect the information. So I'm also a glass half full person, optimist, that's why we work together so well, that we really think being data driven, being analytics driven, is changing the game. >> What about the technology of the malware? I think it was at a .conf, I think it was 2013, one of your guest speakers gave us an inside look at Stuxnet. Of course by then it was seven, eight years old, right? But it was fascinating, and you know you read more about it, and you learn more about it, and it's insidious. Has the technology on the defender side, I guess was my real question, accelerated to keep up with that pace? Where are we at with the bad technology and the good technology? Are they at a balance now, an equilibrium? >> I think it's going to be a constant evolutionary process. It's like anything else, you know, whether you look at thieves or whether you look at people who are trying to create new innovative solutions for themselves. I think the key that, this is the reason why I said this morning, is that defenders can have, I think I said unfair advantage, not just an advantage. And the reason for that is, some of the things Haiyan talked about, with analytics, and with the availability of technology that can create a nerve center. It's not so much so that someone can detect a certain type of threat. It's that we know the low fidelity sort of perturbations that cause us to fire an alarm, but there's so many of those that we get desensitized. The thing that's missing is, how do I connect something that is very low threshold, to another thing that's very low threshold, and sequence those things together, and then say, you know, combined all of this is a bad thing. And one of my colleagues uses as example, you know, I go to the doctor and I say you know, "I've got this headache for a long time", and the doctor says, "Don't worry, you don't have a tumor." And it's like, "Okay, great, thank you very much," (Dave laughs) but I still have the headache >> Still have the headache. >> And so this is why even in the analytics stories we use, and even in UBA and in enterprise security, we don't use the concept of a false positive. We use the concept of confidence, and we want to raise confidence in a particular situation, which is why the analytics story concept makes sense, is because within that story, the confidence keeps raising as you go farther and farther down the chain. >> So it's a confidence, but also married, presumably through analytics, with a degree of risk, right? So I can understand whether that asset is a high value asset or John's football pool or something like that. >> John: Which is going very well right now by the way. (all laugh) Bring it on, very happy. >> Now you guys have come out with some solutions for ransomware. I tweeted out this morning that I was pleased at .conf that we're talking about analytics, analytic-driven solutions to ransomware, and not just the typical, when we go these conferences, the air gap yap. Somebody tweeted back to me, said, "Dave, until we see 100% certainty with analytics-driven solutions, we better still have air gaps." So I guess I wanted, if you guys could weigh in on what should people be thinking about in terms of ransomware, in terms of an end to end solution. Can you comment? >> I will add and... So for us, right, even to follow on the last question you had, the advancement in technology is not just algorithms, it's actually the awareness and the mindset to instrument your enterprise, and the biggest information gap in an incident response is, I don't have the data, I don't know what happened. So I think there's lot of advancement happened. We did a war game, you know, tabletop exercise, that was one of the biggest takeaways. Oh we better go back and instrument our enterprise, or agency, so when something does happen, we can trace back, right? So that's number one. So ransomware's the same thing. If you have instrumented your infrastructure, your applications stack, and your cloud visibility, you can actually detect some of the anomalies early. It's never going to solve 100%. So security is all about layered defense, right. Adapting and adding more layers, because nobody is really claiming I can be 100%, so you just want to put different layers and hoping that as they sift through, you catch them along the way. >> I think it's a question of ecosystem, and really goes back to this notion that different people have instrumented their environments in different ways, they deploy different technologies. How much value can they get out of them? I think that's one vector. The other vector is, what is your risk threshold? Somebody may have absolutely zero tolerance for air gaps. But I would, as a research person, I would like to challenge even that premise. I've been privileged to work in certain environments, and there are some people who have incredible resources, and so it's just a question of what is your adversary model that you're trying to protect yourself against, what is your business model for which you're willing to take over that risk? So I don't think there is a too high endpoint, there isn't a single solution for any of these number of things. It really just has to match with your business operation or business risk posture that you want to accommodate. >> You know what, you're almost touching on a point that I did want to hit you up on before you left, about choice, and you know, it's almost like personal, how much risk am I willing to take on? It's about customization, and providing people different tools. So how much leash do you give people? I mean do you worry that if we allow you to do too much tinkering you actually do more harm than good? But how do you factor all that in to the kind of services that you're offering? >> I think that ultimately it's up to the customer to decide what's valuable and what's critical for their business. If somebody wants a complete solution from Splunk, we're going to serve those customers. You heard a number of announcements this week from ES Content updates, to opening up the SDK, you know, with UBA, to the security essentials app releases, and all of those different kinds of capabilities. On the top end of it, we have the machine learning toolkit. If you have experts that want to tinker and learn something more, and want to exert their own intuition and energy on a compute problem, we want to provide those capabilities. So it's not about us, it's about the ability for our customers to exert what is important to them, and get a significant advantage in the marketplace for their business. >> I think it's important to point out too for our audience, it's not just a technology problem. The security regimes in organizations for years has fallen on IT and security practitioners, and we wrote a piece several years ago on Wikibon Research, that bad user behavior is going to trump good security every time. And so it's everybody's responsibility. I mean it sounds like a bromide, but it's so true, and it's really part of the complete solution. You know, I mean, I presume you agree. >> Totally. Going back to the CISO Advisory Board, one of the challenges they pointed out is user accountability. That's one of the CISO's biggest challenges. It's not just technology. It's how can they train the users and make them responsible and somehow hold them accountable. I thought that was a really very interesting insight we didn't talk about before. >> Yeah, you don't want to hear my bad, but unfortunately you do. Well, we were kind of kidding before we got started, we said, "We've got an hour to chat." It seems like it was just a matter of minutes and so thank you for taking time. We could talk an hour, I think. >> Monzy: Oh easy. >> Fascinating subject. And we thank you both for your time here today, and great show. >> [Haiyan And Monzy] Thank you for having us. >> Haiyan: It's always a pleasure to be here. >> You bet, all right, thank you Haiyan and Monzy. Back with more of theCUBE here covering .conf2017 live in Washington DC.