>> Narrator: Live from Washington D.C. It's The Cube covering .Conf 2017. Brought to you by Splunk. >> Welcome back to Washington D.C., the Cube continue our coverage here of .Conf2017. It's the Splunk get together here in Washington D.C. We're at the Washington convention center where they have a record crowd, 7,000+ everyone having a splunking good time you might say. Dave Alante, John Walls here and we're joined by a couple of gentlemen who work with TransAlta. Kent Farries on the far left, who's a senior analyist working the security intelligence analytics as well at TransAlta Kent good morning to you sir. I guess good afternoon, we've crossed that threshold haven't we? And Ikenna Nwafor who's a senior information security specialist at TransAlta as well. So good morning to you. >> Thank you good morning to you. >> Kent maybe you could just tee us up a little bit about TransAlta. Tell us a little bit about what core function, what you all are up to and then how the two of you are helping that mission along it's way. >> Sure, TransAlta is a well-respected power generator and wholesale marketer of electricity. It's been in business for over 100 years. We're based out of Calgary, Canada and we have operations in the United States as well as Australia. Myself and Ikenna are part of the security team based out of Calgary and then we also have off shored or outsourced some of the security operations and our function. >> Which I imagine is vast. Right, I mean you've got you know, you're primary mission obviously security, I would assume of the grid, distribution of power. >> Kent: You are correct. >> That's your number one focus. Right, so talk about the complexities of that in general for our audience who may not be familiar with your particular business but you obviously can imagine the nuances and the sensitivities that you have to deal with. >> Kent: So do you want to? >> Ikenna why don't you take that. >> I think they found out that we are in the prior generation business, makes us a critical infrastructure. And that means working and having ties to the grid makes it very critical that we protect our critical information systems from the threat landscape currently in security so it's a vast responsibility for the team, and we have regulatory requirements we need to abide by, things around (inaudible) and compliance requirements so that's really a very daunting task for us to mate with from a security standpoint. >> Right so it's critical infrastructure, that is distributed in it's nature, so it's high value, you're a target. You got to wake up every day knowing that. >> Yeah sure. >> Okay, so maybe take us through sort of your Splunk journey and what role it played kind of the before and after and how has it affected your business? >> I'll take that. So in the mid-2000s, we did security and everything but it wasn't really a key focus of senior manaagement or anything, it wasn't a lot of real breeches, most of the stuff that was going on was a nuisance, right? Out of the marketplace. >> Dave: Kind of hacktivists. >> Yeah, and we dealt with it, a lot of it still wasn't really coming through the internet, it was still coming through other means. So it wasn't at the forefront, even though we tried in say 2006 to make sure that security was at the forefront management wasn't quite ready at that time. Wasn't big breaches or anything. Around 2009 is our first introduction to what we call the SIEM, Security Information Event Management Solution, basically log management. We implemented that in 2009, and then we had that running for about five years until about 2014, but we started to lose some confidence in that tool, it just didn't give us the information that we wanted or needed to properly detect, respond to today's threats. So we stumbled upon Splunk, it took a little while to actually buy it. One of the system engineers tried to sell it to us we said nah, come back later. Nah, no, I don't even know what it is. And then finally I actually spun it up a proof of concept and I go this thing's amazing. Everything I ever thought of doing, I can actually do with this tool. This is wow. So took the POC, sold it to management, come January 2015 we implemented it, we hired the company out of Ontario to help stand it up, and bring all the data in. It was amazing and we had everything we ever wanted. It blew away our previous security information management system. >> So the SIEM fell short, you said because it didn't really give you the information you needed. Was it also a case of it was just too much information? >> It was difficult to use, so we actually went on training when we implemented the original one in 2009. So two weeks of training, down in the U.S., come back, architect still had a consultant help us stand it all up. But we couldn't build the use cases that we really needed. We were happy at the time, just to get log data, but there's no data enrichment or good correlation capabilities or it was super super difficult to implement. You couldn't search something like Splunk Answers, which you can today. I need to Google anything and the answer's out there around Splunk which is just the community's phenomenal. >> So at the time you didn't know what you didn't know and then once you saw Splunk, it sort of changed your vision of what was possible but so you said it was amazing but why is it amazing, what is it about Splunk that the SIEM tools don't do? >> I think to Kent's point, part of the challenge we had with the previous SIEM tool was the fact that it required a whole lot of work to even get a single simple use case in place for our security. Where as when we had Splunk in place, one is onboarding data logs from various sources was really really dead simple. The initial set up was within a day or half a day to basically replicate what we had from our previous SIEM, which was really fast. And then the other thing is Splunk provided a whole lot of flexibility where you really didn't need to go for some two weeks training to actually get going initially. And through the period we've had Splunk, we've seen that there's been a lot of things we've been able to achieve that we couldn't accomplish when we had our previous SIEM. >> Like for example, I mean what's it letting you do now that day to day that you couldn't do before? >> So if you buy a SIEM, typically it's in a vertical. It's serving one purpose. When you implement that it's usually the security team that gets to use it, and you got to bring in all this log data. Your other teams, say in operations or whatever, they want their log data too but they're in a totally different system, with Splunk it's a platform for us. So we bring all the data in, it's consumed by the IT security, it's consumed by dev ops and operations. So the same amount of data that you bring in say from an endpoint, we'll use it for detection forensics type capabilities, but the desktop team can use it as well to see is there application problems, desktop problems. Do I have drivers or something on a desktop that needs to be updated. We can be more proactive and help out the user so for us it's like a fabric. The foundation so once we've got that laid, yep? >> So all these use cases that you're laying out, previously you would have to essentially customize for each use case, is that right? >> Previously we couldn't even do some of them and then the other thing is we would most likely need to engage a third party contractor to assist us with that. Somebody who is a specialist in that field, whereas with Splunk some of the key things that helped us with Splunk is that maybe in the process of responding to a security event. We could think up ideas of we need this information, how do we get it? And on the fly we can easily build up a use case within minutes to get the information we need from Splunk we don't need to consult anyone, we don't need to read up manuals and for instances here we really need information to help us with building up the use cases going to like Kent mentioned earlier, going to Splunk Answers, you most likely get, so there's a broader community with Splunk that really helps with giving you the information you need to help you in your Splunk journey. >> Okay, so it's more intuitive I'm hearing and it's got the data that you need. >> Exactly. >> And so but even if you had an equivalent of Splunk Answers for your previous SIEM tool, you're saying you wouldn't have been able to because it's not flexible enough to architect what you needed? >> Ikenna: Exactly. >> And I'd like to just put a comment in there. I've been in IT for a long time. And I've always wanted to say, build my own database to bring stuff in and do different things, so I'm pretty good at scripting, but I don't want to be designing a full application or whatever. When I saw Splunk and how easy it was to onboard data, I go wow, this is amazing. So when I brought the consultant in and we stood up our original infrastructure, not only did we stand up ES within two weeks, enterprise security, we also onboarded all my custom stuff, like PowerShell scripts, everything else so we brought in acting directory data into Splunk and made it a PVR for us. So we go back in time and look at any one who their manager was and everything that's happened to that account at that exact time and we can correlate that with IP information everything else. As well we have all of our floors are mapped out. We know where you are in any given building or facility. So we were able to do that at a point in time, 'cause there's a PVR. We don't lose that information. And that's data enrichment, and we couldn't do that in the old system. >> So you had a time machine for your machine data. >> Kent: Yeah, it is, absolutely. >> Okay, cool. Now back to your business a little bit, so there's a physical security aspect of what you guys have to worry about as well. And I'm wondering if you could talk about that and how just the sort of attitude you touched on this before, Kent but how the attitudes towards security have changed and evolved over the last decade. Obviously greater awareness. Has that trickled into the lines of business? Or is it still mostly an IT and a security pro problem? >> I'll let Ikenna answer this. >> So really, for us it's been a journey for the last little while around security. And a couple of things we've had over the past few years is spreading the awareness around security across the business and that's really gained traction where it's no longer just the IT security folks talking to the business about what they need to do for security. But also the business getting back to IT security and trying ones they want to implement, setting up solutions trying to figure out okay, what do we do for security? Can you help assist us with something around risk assessment and really over time that has really helped spread that awareness and also we do a whole lot of things around trying to build a security program through performance assesments, that would be useful to identify gaps. And being able to communicate with the stats to senior management, around getting the necessary buy-in to proceed with whatever initiatives we want to run along with from a security standpoint. You want to add to that? >> I think that's good. >> Yeah, I'm sensing that prior to Splunk it was an uphill battle to get management to invest. Because they probably said, alright we're going to throw money at it, what's the result that we're going to get. As you can present metrics to management, it's easier to justify the investments because they're going to be able to see the outcomes, is that fair? >> Yes, definitely. I think prior to Splunk really we had certain sets of metrics but what Splunk has really helped us do is really consolidate all the log sources we have, get the right information and be able to actually provide a holistic view of our security program to senior management and show them across the different business units where we can get value for investment pointing to security. >> And have you evaluated alternatives, I know those competitors, they've bumped up in the past couple of years, have you evaluated those? Or did you at the time? >> Yeah so in 2009, we looked at a few different vendors and we picked a market leader at the time. There's a couple that we liked more than the market leader but they just didn't scale to our size. Back in those days certain vendors would call it events per second or whatever, we did some analysis and go, they just can't scale. That one back in 2009 is now a market leader. It's pretty good, it looks really interesting and everything as well there's about two or three players out there that I think look great from a SIEM perspective, but if you think of us, where we are at a SIEM is a component, but we actually have a platform. And management's bought into the platform, not only a SIEM, they didn't even know what a SIEM really was, before say 2013. And now they just know that we can provide information when they ask for it. If we don't know, we can get the answer within minutes or maybe hours sometimes depending on the complexity of the query, but we have all the information, we have all the PVR, time machine as you mentioned. It's all sitting there. We brought in most of our data, we got a couple little pieces we're still working on, there's different cloud information we're bringing in or other data enrichment. We can tell for example, an ISP anywhere in the world. We can tell our user visited that ISP. Or that attacker came from that ISP. Let's lock that whole ISP out. We have a lot of interesting capabilities where we don't know if we can do that in those other tools. >> So what's your headache of the future? It sounds like Splunk has done a lot to get you up to speed and get you to a very high comfort level now, looking down the road here, what's the next? >> Quickly start and then I think Ikenna wants to speak to this as well, one of the things that we need to do is we're getting better at detecting and responding. We've really focused a lot on prevention to make sure we can prevent what we can. But it's impossible to basically prevent everything, everybody knows that. You see it in the news. So we're trying to get better at detection and response. One of the shortcomings that we've noticed is that we can't always respond as humans fast enough. So we're trying to automate that, get richer information which Splunk allows us to do, so we call them like high fidelity alerts or high confidence alerts. So if we see that, that should never happen in our environment we'll shut that workstation down, disable that account, or cut off that subnet or something like that so it will all be automated. And then us as a team, will come back after the fact and look at it and go oh, yeah that was good. Or oops we made a mistake, sorry about that. And we'll bring the machine back online. >> Yeah, apologize after. >> After, because they move so quickly, or at least what we're seeing, adversaries move fast. >> How about, you want to add to that? >> I think they key, the way we look at our security program is just being on a journey, because the threat landscape changes like by minutes or days really. There's never a point where we'll say we are done. We are fully okay from a security standpoint, so we constantly look at where we need to evolve. A lot of our techs now are looking at cloud services so we are trying to see how we can show cloud services that we use, pool their log information where we can. And I try to actually enhance what we are currently doing. There's really no silver bullet to solving the issue of security so it's really constantly looking at where we can derive efficiencies to help our program. >> I wanted to ask you about pricing. Are you a Splunk cloud customer? You pay a subscription, you have a perpetual license? >> We did the subscription to term. We're evaluating potentially moving to the cloud. It would be near the end of 2018. We're not sure how we're going to go, maybe we'll just put it in say one of the like AWS or Azure instead of maybe going to the cloud offered because personally we like tweaking and doing a couple things under the hood, so there's a little more change control in cloud. At least at the moment, maybe that will change over time. But we like to be able to quickly onboard data, do all this as fast as we can when we need to. >> And you priced, Splunk charged you by the amount of data? >> You pay by the amount of data. >> Okay, so my follow up is, as the amount of data exponentially, as that data curve growth curve kind of grows, reshapes if you will, are you concerned about just the whole pricing model? Does it have to? >> I'll take that one. So the interesting thing about Splunk it's actually disruptive or disruptor or, it can displace technologies within your environment. So we really try to consolidate things down and take out things that aren't needed. So in certain scenarios, we do a lot of vulnerability scanning and all that, we don't necessarily go buy the top top end product and spend a lot of money on that, we might buy something else or even use open source in the future, who knows. Get the information into Splunk and then use Splunk to do all the analysis. So we're paying like one or two percent of what a typical cost would be and that license itself would pay for Splunk. >> So you're getting asset leverage there. >> Yeah. >> It pays for the data growth. >> As well, we're finding other benefits in the environment using predictive analysis for example, we Splunked all of our storage, and I gave that to my boss and I go here ya go, what do ya think? And you can predict it out a quarter, half a year or a year and he was just ready to buy basically a million dollars of hardware and said geez, I don't need to do that. That's pretty cool. >> So you're using Splunk as a capacity planning tool. >> As well, yeah. We use it for many purposes. >> Very interesting. >> That sounds like a good year end bonus to me there, Kent. (laughter) Gentlemen you both came down from Canada, is that right? >> Yes, we did. >> So my apologies for the unseasonably warm weather here, but we have the lights on which is something you're very familiar with, right at TransAlta. Thanks for the time, interesting conversation glad you both could be here with us today. >> Thanks for having us. >> Alright continuing more our coverage here on The Cube for .conf2017, we'll be live here in Washington D.C. Take a little break, back at 1:30 Eastern time, see you then.