>> Announcer: Live from Washington DC, it's theCUBE. Covering .conf2017. Brought to you by Splunk. >> Welcome back here on theCUBE, we're in Washington DC at the Walter Washington Convention Center, day one of .conf2017, Splunk's big get together here with some 7,000 plus attendees, 65 countries, and traveled something like some 30 million miles to get here? Incredible turn out, it really is impressive, and a great day we're having here on theCUBE. Which of course is the flagship broadcast of SiliconANGLE TV. Joining me is Jeff Chancey, who is a managing director within Accenture Technology Ecosystem and Ventures. Jeff, good to see you here in Washington, welcome to town. >> Likewise, thank you very much. Excited to be here. >> Yeah, it's certainly been a great day, great first day, let's talk about your partnership, Accenture with Splunk, and what do you see the future for the partnership, how is it evolving? >> Well it's interesting you might ask that, it's probably the $64,000 question. The future of the partnership is indeed exciting. Let me kind of articulate what I mean by that. We Accenture, we're a large professional services firm, our competencies around Accenture Strategy, Accenture Consulting, Accenture Digital Technology Operations, and Accenture Security. What makes the partnership with Splunk so interesting and unique, and also very dynamic, is the fact that Splunk as a transformational data platform applies across the full spectrum of business that Accenture does. So if you can bring the power of an Accenture and our presence in the market, across all the different industry verticals, all the horizontals, and the power of a transformational data engine like Splunk together, you could say it should be a very exciting future indeed. Probably our biggest objective is to really help, in Accenture we call it rotating to the new. So rotating to new technology, and Splunk is definitely part of our agenda to rotate to the new. We are looking to help our clients become data and digital driven businesses, by leveraging the enormous volumes of data that keep exponentially getting generated every single day, through connected devices, applications, infrastructure, across the board, the Internet of Things, everything is now connected, and everything is spooling data. So, we know that our enterprise executive clients, they're all struggling with this challenge that says, "how do I not only, get value out of my data, how do I solve this challenge with the exponential generation of data, so that I don't just survive in the market, but I win?" This is really what we're after as a partnership is that step change transformational agenda, with our enterprise clients. >> So you have this budding partnership, you've talked about all these fantastic opportunities and great potentials and whatever, is it possible, can you focus on one thing that you're most excited about when it comes to the partnership? >> The one thing I would say we're most excited about right now is our security agenda. We all know where Splunk sits, in terms of the security market. Accenture Security, our very first joint market offering is the Cyberdefense Engine, formally known as, our Cyberdefense Platform. That joint market offering stands to be, really what credentializes the partnership between Accenture and Splunk in the market. Very exciting. Every customer needs to mitigate risk, they must protect their enterprises, they're breaches happening every single day, it's in the news, and Splunk is a powerful technology to help our clients protect their enterprises. So, what you want to do, with Accenture and Splunk is we want to help our clients take out cost, take out cost out of the back office, to drive up their profitability and drive down their cost to serve their customers, we want to help them protect their enterprise through security, and then we want to help them drive step change value for their customers and for them through Internet of Things, and business analytics, automating away the work, and driving that value in the market. >> You're talking about this vast array of services, that you could provide, we know about your relationship with Splunk, you've got hordes and hordes of machine data right, pouring in all the time, how are your clients putting all that together, how are -- maybe some of the innovative ways that they're pulling these various resources and sources together and putting them to use? >> What our clients and what we're observing with our clients, is, with their data, they're data tends to reside in multiple silos, within the enterprise. This is normal, this is natural. What we can help do with a powerful technology like Splunk, is aggregate that data across all the different silos and bring it together in a single view. That not only helps the operations staff, as we said before, protecting the enterprise through security, and driving that value through business analytics, real time digital marketing, using geolocation services, for example. One of our exciting offerings is in the retail industry vertical. We're leveraging the power of Splunk to understand through Point of Sale data what product is going out the door, in say, a store operations environment, and also what inventory is coming through the back door, and triangulating that with the real time rate at which product is leaving the shelves, being able to help those retail customers actually do real time order management and trigger those events in real time. because if you're a retail custoner, the last thing you want to do is have products not on the shelf that your customers want to buy, and in the case of a grocery store for example, you don't want to have, your fresh foods spoil before you have a chance to sell it. So if you can bring together the dynamics of what's going in and out of the store with customer loyalty programs and geolocations, you can actually real time target those customers when they're in the vicinity of your store, and say, "The broccoli, we're offering you a special. Come in right now -- >> (laughing) >> We'll give you 15% off of broccoli", because we know you're a customer that likes to buy a lot of broccoli. That's a really exciting -- >> Inventory's everything, right? Inventory control. In this case -- >> And really applying it to the entire supply chain, 'cause obviously, the inventory from the manufacturing side, the consumer goods and services side, has to be available, has to be in the warehouses and the distribution centers, so, optimizing that entire, call it material and product movement, from the raw material and the manufacturing all the way to the consumer. >> We've heard a line, I know you have, greater insight, greater value. How are you at Accenture and Splunk bringing that statement to life for me as your customer? >> Clearly, if we can bring the power of data transformation leveraging next generation technologies like Splunk, and I have to say, we as a partnership, we view Splunk as an emerging technology. Not emerging in the sense that it -- doesn't exist yet, I mean they've been around for over a decade now, but emerging onto the world stage to really help power the way businesses drive their business by leveraging all of that data. The secret sauce that Splunk has, is that ability to aggregate that data from multiple disparate sources, and to do that in real time. If we can drive greater insight into the customer's data, we can collectively drive greater value. Interestingly enough, the greater than sign, is a coincidence, it's part of both Splunk and Accenture's logos. >> Yeah right, you both have it working for you, don't you? You're known for vertical industry practices, is there one or a specific vertical that you can think of that maybe where you all have teamed up and that you're creating this interest or some kind of innovative solution that you're able to specifically develop and apply? >> I mentioned retail, and I mentioned security previously. An interesting area that we're getting into now, is in Health and Life Sciences, so healthcare. We want to be able to predict and prevent hospital Code Blue's before they happen. How much would you be able to do that? All of the devices, all the monitors that all the hospitals have, they're all from different manufacturers, they're all spooling data, and most of the hospital staff are using eyes on glass. To understand, we have a Code Blue, you've seen it in the movies, everybody's running to resuscitate and save the patient. What we want to be able to do leveraging Splunk is to apply machine learning and predictive analytics, to understand what the monitors tell us, that in 15 minutes this patient is likely to be a Code Blue, and how do we predict and prevent that from happening in the first place. I really can't think of anything better than figuring out how to leverage technology to save lives. >> Absolutely. Well, if I'm in need, I want you around, okay? (laughing) >> Okay, you got it. >> We got a deal. Jeff Chancey, from Accenture, thanks for being with us here on theCUBE, appreciate the time and wish you success down the road. >> Thank you very much, appreciate it. >> You bet. We'll continue here, from .conf2017, we are live, in our nation's capital, Washington DC.

>> Narrator: Live from Washington DC, it's The Cube. Covering .conf2017, brought to you by Splunk. >> And welcome back to .conf2017 here on The Cube. We continue our coverage from the Walter Washington Convention Center. Dave Vellante, John Walls, if you're wondering where we are, I mean physically, the White House is about a mile that way, and the U.S. Capitol is about a mile that way. So we're kind of sandwiched between where it's all happening, Dave. >> Yeah, I mean this exhibit hall is about a mile that way and a mile that way. (laughing) >> Yeah, if you're hungry, leave now for lunch. It's going to be a bit of a hike. We're going to talk about analytics, obviously, at this show, but with Cisco's Altaf Karim, Senior Manager of service line and product lead, so a practice lead. So Altaf, thank you for being with us here. >> You're very welcome. >> Thanks for the time. Let's talk about the Cisco network optimization service, and obviously how that comes into play with analytics, what that's all about. I know that's certainly near and dear to your mission. >> Sure. So as you mentioned, Cisco's network optimization service, it's a consulting-based service offer that we provide to hundreds of customers globally, where we're actually providing some experts in the field of Cisco products. These consultants know Cisco products in and out. Our span reaches globally in many different industries, and what we do is we really work with our customers first, our consultants work with our customers first to identify what sort of business outcomes that they're trying to achieve. These could be related to things like high availability, performance, and then really work from there to understand what types of things need to happen from an assessment standpoint, or architecture, or deployment standpoint, that they can optimize to make the most use of their network. Some of the key benefits of Cisco optimization service are increased productivity for our customers, better user experience, as well as customers who have made an investment in IT. Our consultants are able to work with them and devise a strategy on faster time to value of that investment. So those are some of the key tenets of-- >> Mr. Vellante: So this is a for-pay service, correct? >> Yes. >> Okay, and it starts presumably with an assessment, where you got to get the right people in the room, and maybe you have some automated tooling to help me do discovery, and things like that, and you're maybe looking at machine data and so forth. Take us through the life-cycle of an engagement. Where does it start? How do we engage? How does one engage with you? Where does it start and where does it go? >> Yeah, sure. So, it all starts with our consultants working with our customers first, as I said, to understand what types of business objectives are they trying to accomplish. We then essentially backtrack from there, and understand what things in the network can we control. For example, high availability, process of change management, improved performance on their network, and essentially devise KPIs and metrics that essentially back into the business outcome that they're trying to accomplish. And of course, we have a whole slew of capabilities around analytics, that our consultants bring to the table to essentially become proactive, and help the customer achieve those business outcomes. >> So it might be a customer comes to you and says hey, I'm having problems with my network. It's down too much, it's not performing the way I want. I think it's change management related, you know it probably is, but I don't know where to start. So you bring a tiger team in, and then what? You use all kinds of tooling and other expertise to surface the problem? >> Yeah, sure. So, your question actually delves into what types of KPI can our consultants provide to our customers, to show them how their network is doing, right? And so there's a couple of different ways to do this. One is, you can take a look at what data is available to you, and start to sift through that. And that can be a very cumbersome process that is lengthy. You're really looking for that needle in the haystack to try to figure out what types of insights you can find to make an impact to the business outcome. Another way to approach it is the way we do it from a process standpoint, is inwards from the customer's business outcome. What exactly are we trying to impact? Is it network performance? Is it high availability? And then, our consultants will actually come up with metrics and KPIs based on intellectual capital that our service offer has, and essentially create custom applications based on Splunk, to essentially provide those insights and views and visibility into the network, back to the customer. >> So is it fair to say that Splunk would be the primary ITOM tool, if I can use that term? Splunk doesn't really talk about ITOM, I guess, directly, but to me it's ITOM, IT operations management, but that is the primary platform that you guys would use and deploy? >> I would say that's one of the primary components. Splunk plays a very, very strategic role in how our consultants interact with our customers. So if you think about the premise behind and the value proposition behind network optimization service, is our leading-edge and world-class expertise in networking. And that's what we're known for. And so now when you think about analytics, especially proactive and predictive, you really need the right mixture in ingredients of things to come together, to provide meaningful analytics back to customers. And really, if you think about a trifecta of domain expertise, data science, as well as an understanding of potentially open-source technologies and platforms. But in this case, we're actually strategically using Splunk to play the piece of that last bit. And so what that means is we have consultants who are world-class, leading experts in networking, but we're also training them and asking them to walk a little bit in the shoes of data analysts. And, if you think about an audience or a constituent that is highly technical, quantitative-minded, Splunk is a pretty easy platform for them to learn and start to make an impact by creating custom applications, KPIs, and metrics, for their own customers, that they can use to be proactive and be preemptive, and provide those insights back to the customer. So that's the role that Splunk plays in our service. How much of your business is sort of Aspirin versus vitamin? In other words, how much is it, I got a pain point, I need a tactical solution to that pain point, versus you know what? I'm thinking about re-architecting my network, east west problem, right? Help me think that through, how I sort of transition from my legacy network to a more modernized network. How much is each of those? >> I would say they both play a pretty significant fare. Depending on where the customer is in the life cycle and what they're trying to accomplish, we certainly have a healthy dosage of customers who we work with transactionally, to architect new networks, to deploy new technology, to help them realize their IT spend in a quicker way. But then, a very significant part of our business also is, what do you do on the day two? You can build all this great stuff, right? But if you don't optimize it for peak performance, if you don't optimize it for high availability, or if it's not keeping up with your evolving needs and standards, then you might get in trouble. You're not using the most out of your network. So that's a healthy business as well. >> You mentioned KPIs. What are you tracking? And, what data matters? How do you determine what's relevant, what's not? You know, big problems, or big challenges at least. >> Yeah. That's a very important question, right? And to me, coming from a services background, it's very much rooted in knowing what your domain is about, because as I mentioned before, if you start with all the plethora of data that's available to you, and start to sift through it, you may or may not find something, right? But, our consultants work with the customer and identify what are specific things that we care to monitor, and what are specific KPI that we want to essentially do trending on, or to identify patterns around, so that we can accomplish some sort of business outcome. So for example, if you care about network performance, you're looking at metrics about capacity or bandwidth, or QOS. If you care about customer experience, you're probably, from a wifi standpoint, looking at signal strengths, looking at disassociations, how often and how quickly customers can connect to wifi networks. So really, it depends on what the customer is looking for. And our approach is that we have solid expertise in a number of networking disciplines ranging from routing, switching, wireless, data center, and others. So we have analytic service offers that go deep into each of those technology areas, and we can figure out what KPI to monitor to best achieve that business outcome, but then we also can bring all of that back together and provide that holistic network perspective, and one of the key things that we want to look at, to make sure network is operating optimally. >> Does your practice bleed into the security vector at all? Is that an adjacent area, or is that sort of a main area? >> Yeah. I would say security is paramount for our customers. For the network optimization service, it's actually an adjacent area, but it's definitely something that we work to include into all of our consultative guidance and recommendations to our customers. >> To whom do you sell, I mean, typically? When you initiate an engagement, is it a head of network? Is it a CIO level? And who do you get involved in the sort of initial meeting, and throughout the lifecycle of the project? >> Yeah. That's a really good question, and I would say that it varies depending on what types of analytics that they're also looking for. So let me give you a couple of different examples. So one example is the IT director or IT manager, who is really looking for a tool or analytics, visibility, insights, into how pieces of their network are performing so that they can achieve high availability, increase in network performance, or can better process their change management. So that's one type of buyer. But the other type of buyer is also at the CIO level, which is increasingly also more interested in using analytics to figure out where they are, and benchmark themselves against how others in their industry, or their peers, may be doing. So we've actually started to begun a lot of interesting conversations there, where some of the analytics that we can provide to our customers who opt in, is really rooted around benchmarking how they're doing in different areas such as performance, their software feature, their software or hardware or feature diversity compared to others in their own industry, and really can identify along with our consultative guidance which areas are really important for them to pay attention to, because they're doing something potentially different than everyone else in their industry. >> How about this challenge of IT networks, they're organic, they're constantly changing. So are you coming in, fixing a problem, and then I got to call you back? Or are you teaching me how to fish? >> I would say we're doing a little bit of both. So there's definitely reactive and remediation portions of our service offer. Unfortunately, that happens more than you would like, because you don't think about what to fix until something actually goes wrong. But, one of our flagship service offers, the network optimization services, is all about proactive and optimizing an existing network, so you make sure you're never getting to a place where you end up having to remediate something. And it's not just about remediation or fixing something that's broken, it's really about fine-tuning a well-oiled machine, to make sure that you're getting the most out of your IT investment. >> Yeah, but what kind of a, you talk about machine learning here, capabilities, what do you have in that vein? >> Yeah, so that's a really good question. When we start talking about proactive, and the predictive aspects of our consulting as well as our analytics, machine learning plays a pretty significant role, and I can only expect the contribution that will make to increase exponentially over time. A perfect example, one example of how we use machine learning is actually the machine learning tool kit inside of Splunk. So, if you think about our main premise behind network optimization, is to provide consulting, and provide recommendations on how to optimize the network. But when you think about what a network is, and it's a living and a breathing thing, each network is different, right? No network is the same. So, what machine learning, and especially the machine learning toolkit from Splunk, allows us to do is for a specific customer, it actually allows us to create a baseline of normalcy. What is normal for hundreds and thousands of KPIs and variables, for that specific customer? I think if we asked a human to do that, they'd probably still be going on-- (imitates gunshot) exactly, right? And so, that's an example of how we use machine learning toolkit from Splunk, and not only identifying what is normal for that customer, but then we can use supervised learning to start to identify anomalies and trends and patterns, and really begin to enable our consultants with the data and foresight around what types of things are happening on that network, so that they can in turn be proactive, and be predictive and preemptive in their exchanges with the customer. >> And these services are done on a T&M basis, or a fixed fee, or both? >> They're done both ways. We're pretty flexible, and there's a whole slew of offers outside of what I just talked about, that are available as well. >> What's typical of people? It just depends, right? >> I would say for pinpoint specific things that need to get done, they're more transactional in nature. And then when you're looking for entire lifecycle in a suite of services to help you optimize and be proactive and predictive and preemptive, that's where we have a subscription-based offer that is our optimization offer. >> Okay, and then you guys will actually, well you'll do this mostly remotely, I presume, but you go on site periodically to just impress the flesh and feel-out the culture? >> Absolutely. When we actually start an engagement with a customer, it's quite common for us to go on site, work to get to know the customer, the players, the network, understand what the business outcomes are, make sure that we're devising our deliverables in a way that actually impacts some sort of outcome, and they're not just rooted in some networking measures that don't necessarily make any impact there, right? So that's really important to us. So we definitely go on site. But of course, one of the value propositions of our offer is our intellectual capital. And when we talk about some of the analytics applications that engineers are building for a specific customer, now talk about that happening across hundreds of customers and engineers, devising new ways to create insights and visibilities in their own customer, and the sharing that happens between the engineers, so that they can bring those learning back to their own customer. >> Well, the door's open for business at Cisco, and Altaf Karim, we appreciate your time sharing with us why and how, and what you're doing, and wish you all the best of luck down the road too. Thanks for being with us here, first time on The Cube, right? >> First time on The Cube. >> Alright. >> Thank you for having me. >> You are now an alum. Welcome to the club. >> Great. >> Alright, Altaf Karim, joining us here on The Cube. We'll continue live from Washington D.C., right after this. (electronic theme music)

>> Announcer: Live from Washington, DC, it's the Cube, covering .conf2017, brought to you by Splunk. (busy electronic music) >> Welcome back here on the Cube, as we wrap up our coverage of Splunk's .conf2017, we're live in our nation's capital, Washington, DC, just kind of sandwiched between the US Capitol, which is right up there, and they have a little healthcare discussion going on, the White House about a mile and a half in the other direction, they're probably talking healthcare tonight, too, I would imagine, a little bit. We're talking Splunk. Dave Vellante, John Walls. Dave, a good couple, actually, a great couple of days here. Without getting into all the specifics, but just the range of guests that we have talking about the application of Splunk shows you about the breadth of this technology and how it's reaching to so many parts of the American enterprise today. >> Well, John, we've been talking about all week that this is our seventh Splunk .conf. The Cube started following this company pre-IPO, we've seen their rocket ship ascendancy. The kind of last several years, the stock has kind of gone sideways. The street hasn't been as sanguine as before. But it looks like new management, under the guidance of Doug Merritt, a new sales organization, has really started to put this company back on track, not that it was ever off the rails, but you can see a path to go, I mean, it's a $1.2 billion company with a $10 billion valuation, so that's nothing to sneeze at. You can see this company has the potential to really be one of the next big software players. You've seen a number of companies emerge. Salesforce was the cloud company, right? But you've seen a number of companies like Splunk emerge from sort of the mid 2000 time frame into a real powerhouse. I mean, getting to a billion dollar software company, that's a real milestone, not many make it. I'm impressed with that, they're growing at 30% plus per year. The things that we confirm this week that the traditional CIM, security, log file, digging through these log files, that's giving way and has given way to a better way, where you're reading machine data, you're able to search that and begin to automate and remediate in a proactive fashion. To a practitioner, when you talk to people around here, the Splunk way is the better way, no doubt. Now, what you've seen, and I tell you, early on in Splunk I heard from a lot of vendors, "We've got the Splunk killer." Well, Splunk seems alive and well. >> Right, it hasn't happened yet. >> Yeah, and it's because, in my opinion, they're this customer focused company that talks to customers, gets that feedback into their system, and as Doug Merritt would say, they're innovating faster than the competition. Now, there's some startups going after them, probably trying to attack their cloud model, their pricing model. But I feel like Splunk is in a really good position here. The other piece of this is the IT management component of it. You're starting to see a lot of companies really glom onto what they're doing, and what they call, I call it ITOM, they have an acronym they use, ITSI. Really bringing analytics to IT management, understanding what's going wrong, where it's going wrong, and how to remediate it. Those are really the two big use cases. The other concern that we heard from Wall Street was pricing. I don't hear that, certainly from the loyal customers. >> You've asked a lot of folks today, just what do you think, what do you like? The response has been, I'd say, fairly positive. >> Yeah, I've been pushing on the Cube, and also, at lunch, when you're not on camera, I've only really found one area of concern. Somebody in the government said, well, at the volume we're doing, it gets kind of expensive for us. But generally speaking, most users that we've talked to have said, I like that pay by the data drink model, and it's machine data, kind of log data, so it's not like massive amounts of data, although it's going to grow. One of these days it's going to be more metadata than there is data. >> John: Right. >> But I think in general, Splunk has a good handle on that, subscription models moving to a cloud model. But still, plenty of their base is perpetual model. Fundamentally, this company, I think has some significant upside. I think there's still some skeptics out there on the street, but the customer base is not skeptical, and ultimately, that, to me, is the end arbiter. If customers are happy, they're willing to spend, they see value, they're committed, the base is growing, we see 7,000 people here versus 4,000 last year, that's a 40% growth. When we first found this company, we said, this is going to be one of the next big things, along with some others, like ServiceNow, Pin Tableau early on, even though they've had some bumps in the road, guys like Nutanix, Red Hat. You talk to their customers, they're passionate, you definitely see that here. >> Let's talk about the customer focus a little bit, because that's the hallmark, right? It kind of reminds you of AWS a little bit, but, anyway, we're going to focus on the customer. We hear that from everybody who's sat down here and people we've talked to on the show floor, they have, it's a very direct relationship, it's a warm relationship. It's not customer, client, it's right here, they're sympatico. >> Yeah, I mean, I think there are different models. Andy Jassy talks about this, Doug Merritt talked about it. There's a lot of ways to skin the cat. You could be a customer focused, customer first company, where you make all your decisions based on what the customer is saying, and maybe that's an overstatement. But there's another model which is competitor focused. There's a competitor, I'm going to go kill them. There's some very successful examples of that. I mean, I would put EMC in that category, even though they're very customer focused, you cross them as a competitor, they're going to put you in their sites and shoot you. I think Microsoft has some sort of similar characteristics there, you saw Microsoft decimate its competitors in the past. I would say Oracle, in that sense. Not that these companies don't care about their customers, of course they do. But they're fanatical about the competition. >> John: The competition, right, right, right. >> I think companies like Splunk, I think they are concerned about the competition. They don't ignore it, same with AWS. But if you put the customer first, do right by the customer, good things happen, and it's a good philosophy. >> Right. Going forward now, I mean, Splunk is a company that's based on change, right, it's all about transformation, it's all about speed and providing these services. I mean, what do they have to do, in your mind, the next 12, 18 months to really separate themselves and take that quantum leap off the 1.2 where they are now, to get to that maybe $4 billion or $5 billion level? >> Number one is, don't screw it up. I mean, OK, that's obvious. >> Good rule. >> But I think the second thing is, the TAM expansion. One of, I think, Doug Merritt's big challenges is, how do they expand their TAM beyond those two core areas, security, obviously, huge area, and just sort of IT operations management, or again, what I call ITOM, they don't use that term. How do they grow beyond that? Where do they grow? I think there's a couple of ways to think about that. One is, I mean, Splunk is, it can be, it can start delivering apps that are very deep, that's what it's doing around security. You saw ransomware applications, for example, going depth. As a platform, Splunk has breadth. But they don't sell the platform per se. They really, what they do is they sell the solutions around that platform. The platform is there, though. To me, Splunk could become a big data development platform. What I want to see is I want to see this ecosystem grow dramatically. I think that's, for them to get to 5 billion, this ecosystem has to explode. I think they have to start becoming a developer outreach, developer friendly company, so that the ecosystem can innovate on behalf of that platform. They have a very powerful platform. It's like George and I were talking about this morning, it's Hadoop like in it's a big data pipeline, but it's integrated and it's a lot simpler. To us, Splunk can start expanding its TAM by building out applications with its ecosystem on top of that platform. I think that's an interesting challenge. We've tested that a little bit here. Splunk's shy about going there, they haven't gone there yet. I think they have to be careful, because you don't want to scare away the ecosystem either. I mean, remember Microsoft, their timing was good. >> You know what your sweet spot is, too. You can't leave your core. >> Yeah, you don't want to lose that. Like I said, they don't want to screw it up. >> You've got to take care of your core. >> Security's a big market, no question about it, as is the IT ops market as well. But there's a lot more runway. If they're going to get to be a $5 billion or a $10 billion company, it's unquestionable that they're going to bump into the other big platform players. >> Right, right. What's the horizon for something like that? I mean, it's not a 12 month play, right? I mean, you're talking about-- >> No, I think it's a five year vision. But it has to start to unravel over the next 12 to 18 months, in my view. A few things I would look for is, again, expansion of the ecosystem, ie, number of partners, the substance of those partnerships and then purposeful, deliberate developer outreach. I'd love to see these guys do a little dev con within .conf to see who shows up. Again, they don't play up their developer tools in a big way, they're not really, little hackathons going on here, there may be, but they're not front and center, no hackathon award winners that we're interviewing on the Cube. It'd be interesting to see what would happen if they released some low code SDKs. Have a little, I'd like to see them test the water there to see who comes out. I bet you they'd be oversold. >> John: Right. A lot of cool T-shirts, though. >> A lot of cool T-shirts. It's a fun company, too. >> It is, no, it is. >> That's the other thing. I mean, this is geek fest, right? There's a lot of great, fun, senses of humor, there are self deprecating, funny T-shirts. I think we're the only two guys that I've seen in here all week with ties on, as a matter of fact. >> Usually the only one. >> Well, just, I know I was being with you and I had to dress up for the occasion. Really enjoyed it. Great working with you. >> John, thank you, it's been a pleasure. >> Dave Vellante, here on the Cube. He gave you the playbook, Splunk, now just follow it and let's see where you are five years from now, right? He was there for you. We're done, .conf2017 wrapping up our live coverage here on the Cube. It's been great having you along for the ride, so, so long from our nation's capitol. (busy electronic music)

>> Announcer: Live, from Washington DC, it's theCube. Covering .conf2017 Brought to you by splunk. >> Welcome back inside the Walter Washington Convention Center. We're at .conf2017 in Washington DC, the nations capital, it is alive and well and thriving. A little warm out there, almost 90 degrees. But hot topic inside here, Dave. >> There's a lot of heat in this city. (laughter) >> A lot of hot air. >> Yeah, absolutely. >> We'll just leave it at that. Politics aside, of course. Joining us is Ben Miller, who is Director of High Thoughput Screening at Recursion Pharmaceuticals. Ben, thanks for being with us here on theCube. We appreciate the time. First off, I have many questions. First off let's talk about the company, what you do, and then what high throughput screening means, and how that operation comes into play when you have this great nexus of biology and engineering that you've brought together. >> Recursion Pharmaceuticals is treating drug discovery as a facial recognition problem. We're applying machine-learning concepts to biological images to help detect what types of drugs can rescue what types of diseases. We're one of the few companies that is both generating and analyzing our own data. As the director of the high throughput screening group, what I do is generate images for our data science teams to analyze, and that means growing human cells up in massive quantities, perturbing them with different types of disease reagents that cause their morphology to change, and then photographing them in the presence of compounds and in the absence of compounds. So we can see which compounds cause these disease states to revert more to a normal state for the cell. >> Okay, HTS then ... Walk us through that if you would. >> HTS is a general term that's used in the pharmaceutical industry to denote a assay that is executed in very large scale and in parallel. We tend to work on the order of multiples of 384 experiments per plate. We're looking at hundreds of thousands of images per plate, and we're looking at hundreds of plates per week. So when we say high throughput, we mean 6-10 terabytes of data per day. >> Just extraordinary amounts of data. And the mission, as we understand it, you're looking at very rare genetic diseases, your goal is to find cures for these over the next 15-20 years. Up to 100 of them, so that's why you're going through this multiple examinations of vast amounts of data. Human data. >> Yeah, there's been a trend in the pharmaceutical industry over the last years, where the number of dollars spent per drug developed is increasing. And it now takes over one billion dollars to bring a drug to market. And every year it costs more to bring a drug to market. We believe we can change that by operating at a massively parallel scale and also analyzing image data at a truly deep level. Looking at thousands of different features per image, instead of just a single feature in the image. >> That business is just like this vicious cycle going on, and you guys are trying to break it. >> Yes, exactly. >> So what's the state of facial recognition been? I've had mixed reviews about it. Because I rave about it, I go, "Oh my God, "Facebook tagged me again, it must be really good." And then other's have told me, "Well it's not really "as reliable as you might think." What is your experience been? >> The only experience I've had with facial recognition has been like yours, on Facebook and things like that. What we're doing is looking more at cellular recognition. Being able to see differences in these cellular morphologies. I think there are some unique challenges when you're looking at images of thousands of cells, versus images of a single person's face. >> Okay, so you've taken that concept down to the cell level and it's highly accurate, presumably. >> It's highly reproducible is what I would say, yeah. >> So it takes some work to be accurate, and once you get it there you can reproduce that, is that right? How does the sequence work? >> Yes, so there are two parts to the coin. One is how consistently we can produce these images and then how consistently those images represent the disease state. My focus is on making the images as consistent as they can be, while realizing that the disease states are all unique. So from our perspective, we're looking at thousands of different features in each image, and figuring out how consistent those features are from image to image. >> So paint a picture of your data stack, if you will. Infrastructure on up to the apps, and where splunk fits in. >> Sure. So I guess you could say that our data stack actually begins at hospitals around the world where human cells are collected from various medical waste samples. We culture those up, perturb them with different reagents, add different potential drugs back to them, and then photograph them. So at the beginning of our stack we've got biological agents that are mixed together and then photographs are generated. Those photographs are actually .tif files, and we have thousands and thousands of them. They're all uploaded in to Amazon Web Services, their S3 system. We spin up a near infinite number of virtual computers to process all of that image data within a couple of hours. And then produce a result. This drug makes this disease model look more like healthy and doesn't have other side effects. We're really reducing those thousands of dimensions in our image down to two. How much does it look like a healthy cell, and how much does it just look different then it should. >> And where does splunk fit into that stack? >> All of those instruments that are generating that data are equipped with splunk forwarders. So splunk is pulling all of our operational data from the laboratory together, and marrying it up with the image analysis that comes from our proprietary data analysis system. So by looking at the data that we're generating, how many cells we're counting, how bright the intensity of the image is, comparing that back to which dispenser we used, how long the plates sat at room temperature, et cetera. We can figure out how to optimize our production process so that we get reliable data. >> It's essentially storing machine data in the splunk data store. And then do you have an image database for ...? >> Yeah. And the image database is incredibly large. I wouldn't even guess at the current size. >> Dave: And what is it? Is it something on Amazon, an Amazon service? >> Yeah. So right now all of our image data is stored on AWS. >> This is one of those interviews Dave that the subject matter kind of trumps the technology because I want to know how it works. But you need the technology obviously to drive it. So I'm trying to figure out, "Alright, so you're taking "human cells and you're taking snapshots in time, "and then looking at how they react "to certain perturbed actions." But how does that picture of maybe one person's cell reacting to a reagent to another person's ... How does your data analysis provide you with some insight because Dave's DNA is different from my DNA, different from everybody in this building, so ultimately how are you combing through all of that data to make sense of it. >> That's true. Everybody has a unique genetic fingerprint, but everybody is susceptible to the same sets of major diseases. By looking at these images, and really that's the billion dollar question, is how representative are these individual cellular images, how representative are they of the general human population? And the effects that we see at a cellular level, will they translate in to human populations? We're very close to clinical trials on several compounds, but that's when we will really find out how much proof there is in this concept. >> Okay. You can't really predict ... Do you have a timeframe or is just sort of, "Keep going, keep getting funding until you reach the answer?" Is it like survive until you thrive? >> I personally don't maintain that kind of timeline. My role is within the laboratory producing the data as quickly as we can. We do have a goal of treating 100 different diseases in the next 10 years. And it's really early days, we're about 2 1/2 years in to that goal. It seems like we're on track, but there's still a lot of work to be done between now and then. >> So it's all cloud, right? And then splunk is throughout that stack, as we talked about. How do you envision, or do you envision, using it differently? Are you trying to get more out of the splunk platform? What do you want to see from splunk? >> That's a good question. I think right now we're using really the rudimentary basic features of splunk. Their database-connect app and their Machine Learning Toolkit are both pretty foundational to the work that we do. But right now a lot of our data models are one time use. We do a particular analysis to find the root cause of a particular problem, we learn that, and that's the last time we use that model. Continuous implementation of data models is something that is high on my list to do. As well as just ingesting more and more data. We're still fairly siloed. Our temperature and humidity data is separate from our machine data, and bringing that all into splunk is on the list. >> Why are your models disposable? It sounds like it's not done on purpose, it's more of some kind of infrastructure barrier? >> We're really at the cutting edge of technology right now, and we're learning a lot of things that people haven't learned, that in retrospect are obvious. To figure out the true cause of a particular situation, a data model or a machine-learning model is really valuable, but once you know that key salient fact, you don't need to keep track of it over time. You don't need to know that when your tire pressure is low your car gets less miles to the gallon. >> David: You have the answer. >> Right. But there are a lot of problems like that in our field that have not been discovered yet. >> I inferred from your answer you do see the potential to have some kind of ongoing model evolution. For new use cases? >> In the extreme situation we have a set of hundreds of operational parameters that are going into producing this image of cells. And then we have thousands of cellular features that are extracted from that image. There's a machine-learning problem there. What are the optimal parameters to extract the optimal information? And that whole process could be automated to the point where we're using machine-learning to optimize our assay. To me that's the future of what we want to do. >> Were you with Recursion when they brought in splunk? >> Yeah. >> You were. Did you look at alternatives? Did you look at maybe rolling your own with open source? Is that even feasible? Wonder if you could talk about that. >> I had already been introduced to splunk at my previous job, and at that previous company, before I heard of splunk, I was starting to roll my own. I was writing a ton of Perl scripts, and all of these regular expressions, and searching network drives to pull log files together. And I thought that maybe there would be a good business model behind that. >> You were building splunk. (laughter) >> And then I found splunk, and those guys were so far ahead of things I was trying to do on my own in a lab. So for me it was a no-brainer. But for our software engineering team, they are really dedicated to open source platforms whenever possible. They evaluated the ELK Stack. Some of us had used Sumo Logic and things like that. But for me, splunk had the right license model and I could get off the ground really really rapidly with it. >> What about the license model was attractive to you? >> Unlimited users, and only paying for the data that we ingest. The ability to democratize that data, so that everybody in the lab can go in and view it and I don't have to worry about how many accounts I'm creating. That was really powerful. >> Dave: So you like the pricing model. >> Yeah. >> Some users have chirped about the pricing, I saw some Wall Street concerns about the pricing. The guys that we've talked to on theCube today have said, "They like the pricing model, that there's value there." And you're sort of confirming that. >> Ben: Yeah. >> You're not concerned about the exponential growth of you data causing your license fees to go through the roof >> In the laboratory, the image data that we're generating is exponentially growing, but the operational parameter data is more linearly growing. >> Dave: So it's under control basically. >> Yeah, for our needs it is. >> Dave: You're not paying for the images, you're paying for the meta data around that. >> Yeah. >> Well it's a fascinating proposition, it really is. Very eager to keep up with this, keep track, and see the progress. Good luck with that. Look for having you back on theCube to monitor that progress, alright Ben? >> Great. Very good, thank you so much. Ben Miller joining us from Salt Lake City, good to have you here. Back with more on theCube in just a bit. You're watching our live coverage of .conf2017. (upbeat innovative music)

>> Narrator: Live, from Washington D.C., it's theCUBE. Covering .conf2017, brought to you by Splunk. >> Well, welcome back to .conf2017. Here we are at Splunk's annual get together, with Dave Vellante, I'm John Walls. We are live in the Walter Washington Convention Center, in beautiful Washington D.C. I say that, proud to be a native. Actually raised here, lived here, fly the flag here. >> Wow. >> This is my place, Dave. >> Listen, I love this city. >> I do too. >> I love coming down here. Lots to do, my son's down here, so. >> But if we weren't here, where should we be, maybe on the deck of a Carnival cruise line ship right now? >> That would be good. >> I would like that. >> I would love to have theCUBE on the deck of a Carnival >> Maybe, maybe Ruel Waite can swing that. What do you think? Ruel Waite joins us. He is the manager of delivery and support for Carnival. And you got room for two on the next ship out of Miami? >> Listen, man, for you guys anything. >> I love that. Alright, you're hired. >> I can make it happen. >> Outstanding. Alright Ruel, thanks for being here with us. >> No problem. >> On theCUBE, glad to have you, and here at the show as well. Alright, so let's talk about first off, Splunk. What are you doing? Let's back up, in terms of what you do. Your core responsibilities and then we'll get into Splunk story after that. >> Yeah, so I manage the support operation for our ecommerce platform, as well as for the guest facing ship board application. So the ecommerce platforms is where you go and purchase your cabin on the web. You would also be able to purchase your show excursions, your spa treatments, as well. Or we have an e-retail site where if you have a friend who's sailing you can buy a bottle of champagne and have it in their room for when they get there. So all those purchasing perks now that we support on the ecommerce platform. And then the guest facing application, Shipboard, we're talking 'about the mobile application where guests chat and interact with each other or plan their day. We're talking about the Pixels application where guests are purchase their photos that they take throughout their cruise. And their some facial recognition stuff there as well. And the iTV that's in your room. So we have a separate, many different sort of applications that fit under that portfolio. >> Let's talk about the data. >> Yes. >> A lot of data that you just created. >> Right? >> Yup. >> What's the data pipeline look like, where does Splunk fit? >> We Splunk as much as we can and we're continuing to build that as we go. Our application logs are Splunk, everything we produce from the application. Also our performance metrics from our servers and our data and our network, and all those systems, we Splunk that because that's critical for us to triage issues that occurring. Because our operation is about monitoring what's happening, it's about resolving issues as quickly as possible, and it's about communicating to our business. So those three things are data essential to all of that. So we need to get as much as we can and we need to be able to get insights into it. >> Can you talk about where you started, you had mentioned off camera about four years ago, and how you've been able to inject automation into your processes and just take us through your journey. >> Yeah, so we started a few years ago with Splunk, and it was primarily a triage tool for us. So an incident would occur, we'd try to get it, and look at some logs, figure out what's going on. And as we've evolved it's become more of a proactive alerting tool for us, it's become a communication tool, a collaborative tool, for us. You know, we leverage things like the ITSI, right. That allows us to understand the base line behavior of our system. Once we base line that then we can understand the spikes, we can understand when things are changing, and that allows us to react and quickly identify things, defects in our system, things that are occurring, and resolve them. So once we kind of got our legs around okay, we get how to use Splunk to find stuff, now let's figure out how to get Splunk to tell us stuff. >> Okay. >> Right? And now once Splunk is telling us stuff, let's figure out how we tell the business that stuff. So that's kind of how we the journey we've had with Splunk. >> And Splunk's in that thread the whole way? >> The whole way. >> So from, >> The whole. >> So, ultimately then, right now what are you putting into practice that you didn't have available >> Yeah, sure. >> two, three years ago? >> Yeah sure, so one of the challenges we had was, with a typical ecommerce site you have several layers of the application, right. You have your web server, you have caching infrastructure, you have a database server, yet we have a mainframe reservation system as well. So there are several things involved with supporting all those different platforms. Now when we have an incident, it's sometimes challenging to, you know you get somebody on the phone, you're like hey what are you seeing over there on the mainframe side? Well I see this error occurring. Oh and the database side they're telling you okay, we're seeing some sort of timeout here, but we're not sure if it's related to the same thing you're talking about. And we didn't have a way to tie it together. But by using Splunk Transactions what we decided to do was we decided to log the session ID, the web servers session ID across all our layers, right, and push that through, and that allows us to tie those transactions together across those layers. And now when we have an incident we're able to, when we're talking to the mainframe we're saying hey guy, hey go look at this. And he say here's what I'm seeing. >> You can isolate it? >> We can isolate it, we can pull it together, and it's really helpful. >> So will you get to the point, or you were trying to get to the point, where you can automate the remediation? Or is that something you don't want to do 'cause you want humans involved? >> You know, automation is good. And whatever we can automate we try to do that. At this point we're not automating the resolution through Splunk at this time, but what we are doing is we are providing the on call, or the engineer that are responding with as much information as we can in order to have them quickly flip that switch. So if we have an alert that we know, hey this issue requires a recycle of an application pool, or some kind of other action like that, we can put that in our Splunk alert. And we say hey we're seeing this issue occur. That email and that text message that goes out actually tells the engineer that these are the suggested actions that you can take in order to quickly resolve this issue. >> Ruel, what are you hearing from the business side? What are the business drivers and how is that effecting what you're doing in IT generally, and specifically with data and Splunk? >> Okay so from business side we're looking at most bookings is the one of the major metrics that we look at. And our guest experience. So and on the web that means the site needs to be available, it needs to perform, and it needs to work. So what we really are trying to do with Splunk is understand those issues that are impacting our guests on the booking side. What that means is we need to know how well we're converting. And if we're looking at homepage performance, and we can now tell hey if our homepage loads in five seconds verses three seconds, there are how many fewer people make it to our payment page, which is huge for us. So that's something that we really try to hone in on. And it really helps us to collaborate with the business and understand, really, what is the revenue impact of these IT metrics that we're spitting out. >> But there could be other factors involved in that too, >> Yes. >> other variables, right? >> There are. >> You can't just you know this is, but you have enough of a track record the are a couple reasons to say okay, five seconds means this, we get a 30% conversion rate. We get three seconds, man, we got 'em hello, and, now we have a 50%, whatever. >> Yeah, but that is where, what I'm excited about at the conference is the machine learning capabilities that we've been hearing about. 'Cause that will allow us to then model how those different factors that go into when someone goes from the homepage to payment, you're totally right. There's several things that go into that. And what we want to be able to model, hey, on a normal day here's our guest behavior, whether we have a sale, how do our guests behavior differently, or on a Monday night at eight PM what is the behavioral trend. So it's all important to us. And getting the data behind it and being able to model that is going to be really key for us. >> Connect the dots for me on >> Yes. >> how you use machine learning, and how will that affect the business? You'll make different offers at different times, or? >> So what I mean is if I understand how guests behave I will know if I'm having an issue on the site. If there's something happening that's impacting their ability to book. 'Cause sometimes you do a release, you do your quality control, and then you go home, everything looks good. And sometimes hours later, sometimes days later unfortunately, something pops up that you introduced during that release. And understanding what that baseline is, right. So what Splunk has allowed us to do is say okay, here's what normal behavior is. And we're trying to grow this more, but what we've been using ITSI to say here's what that behavior really is. Based on what we kind of know are the metrics around booking. Here's what that behavior is. And we do a release and we see a spike, a change, and now we're able to say wait a minute, we never saw this error before. This error never existed in our system at any point. That was definitely something that was introduced right here in this release, we need to go ahead and resolve this as well. And sometimes you get some false positives there, if your development team is doing change the way they log a little bit you might get a spike. But that's cool because you get to go in immediately and figure out what those changes are, and you get a comfort level that you kind of understand how your system works. >> Let me ask you another question. You got some experience with Splunk. >> Yes. >> Obviously, you were just working with them. What, in your mind, is on their to do list? What do you want to see out of them? Doug, if I'm Doug. Tell me, where should I go, what should I do. >> What do I want Splunk to do. >> Any gripes, give me the good, the bad, and the ugly. >> For me, it's performance, performance, performance. I want to see my queries run as quickly as possible. I want to see things fast. I want to hit the button and it happens right away. Now obviously that's not going to, that's not realistic. But I like what some of the things that Splunk are doing. You look at the new metrics index that they've been talking about the last two days. So they've now isolated your time serious data and they're able to optimize the searches on time serious data seperate from your application logs. So, you know, your CPUs, your memory consumption, that data is not the same as your logging an error, or logging that a booking was created, or something like that. Those are kind of two different things. So they have kind of decoupled that and they're saying anything that's time serious I'm going to put it over here. And I'm going to optimize that query, and then you can handle your other logs separately. But the additional benefit of that is then you can take your time serious and you can look at a CPU spike and then you can take your event data and overlay it on top. And then you can see, hey wait a minute, this event is what caused that spike. So that's where the cool is. >> I think they call that mstats. Is that right, mstats? >> Yes, it's mstats, yes. >> How 'about the stuff that you saw this week in the keynotes, particularly today was the product stuff. A lot of security obviously. Anything that you've seen here at the show that excites you, that you really said alright, I got to have that, I got to learn more? >> Yeah, so the ITSI event analytics really seems like something's going to be cool for us. As I've said before, we utilize ITSI internally. So we put together a glass table that's shows us here are all the different components and the hierarchy of things. And when this goes red it effects these other layers. And it's really cool. But what they've added in is the ability to click a button and drill in to those components and then you have a view of hey, here are the events associated with that. That's really cool because now you're triaging in one place, now you get to the problem really quick. And you can emote directly into your Splunk queries. It really allows what we're looking for is just to resolve issues as quickly as possible. >> And you're describing, if I understand this correctly, you can visualize the dependencies, and you can take remedial action or identify, inform the business what to expect. >> Exactly. >> Be much more proactive, that's what people are talking about. >> Yeah, yeah. And we found that one of the surprising things we found with Splunk is that our business are users of Splunk as well, right. So it's always an IT tool, it's something that only the geeks are going to look at. And then all of a sudden you present a dashboard to a business user and they go ah. That's pretty, right. And then all of a sudden they want it more than you do. So that's what makes it great right, 'cause you can present the data however you want and you can put it in a way that different audiences can consume. And so it becomes a platform that goes across the organization, which is really, really cool. >> John: But your bottom line's all speed right? >> Yes, yeah. >> Take care of my problems faster, get my customer faster, deliver faster, come on Splunk. >> Come on, let's go. >> We want to go. >> Brings the weekend faster. >> Right, right. >> Get more sleep, get more sleep. >> Ruel, thanks for being with us. >> Oh. >> We appreciate that. >> And, we'll talk about the cruise. Leonard Nelson, our producer over here already said book him for a massage, the presidential suite. He wants one night, and then the champagne buffet please. >> It's done. >> Fast internet, though. >> Yeah. >> Fast internet, yeah. It's done. >> Alright. We're simple people, we don't need all that, but we'll talk later. >> Alright man, appreciate it, thank you. >> Thank you for being with us. Ruel Waite joining us from Carnival. Back with more from Splunk, .conf2017. 2015, where did that come from? 2017, it's been a long day. (upbeat music)

>> Narrator: Live from Washington D.C., it's theCUBE. Covering .conf2017. Brought to you by Splunk. >> Well welcome back here on theCUBE. We continue our coverage of .conf2017, we're in Washington D.C. Along with Dave Vellante, I'm John Walls. And Dave, you know what time it is, by the way? Just about? >> I don't know, this is the penultimate interview. >> It's almost five o'clock. >> Okay. >> And that means it's almost happy hour time. So I was thinking where might we go tonight, so-- >> There's an app for that. >> There was, and so I looked. It turns out that the Penny Whiskey Cafe is just two tenths of a mile from here. And you know how I knew that? >> How's the ratings on that? >> We got four. >> Four and half with 52. >> 52 reviews? >> Yeah, I feel good about that. >> Yeah, that's pretty good. That's a substantive base. >> I feel very solid with that one. We'll make it 53 in about a half hour. Of course I found it on Yelp. We have a couple of gentlemen from Yelp with us tonight. I don't have to tell you what Yelp does, it does everything for everybody, right. Zach Musgrave, technical lead, and Chris Gordon, software engineer at Yelp. Gentlemen, thanks for being here. And U can join us, by the way, later on, at the Penny Whiskey if you'd like to. First off, what are you doing here, right, at Splunk? What's Yelp and Splunk, what's that intersection all about? Zach, if you would. >> Sure, well Yelp uses Splunk for all sorts of purposes. Operational, intelligence, business metrics, pretty much any sort of analytics from event driven data that you can really think of, Yelp has found a way, and our engineers have found a way to get that into Splunk and derive business value from it. So Chris and I are actually here, we just gave a breakout session at .conf, talking about how we find strong business value and how we quantify that value and mutate our Splunk cluster to really drive that. >> Okay. >> So, so how do you find value then, I mean, what was? >> It's hard. Chris was one of the people who really, really drove this for us. And when we looked at this, you know I once had an engineer who came up to our team, we maintain Splunk amongst other things, and the engineer said can I ingest 10 terabytes of data a day into Splunk and then keep it forever? And I said, um, please don't. And then we talked a bit more about what that engineer was actually trying to do and why they needed this massive amount of data, and we found a better way that was much more efficient. And then where we didn't need to keep all the data forever. So, by being able to have those conversations and to quantify with the data you're already ingesting into Splunk, being able to quanitfy that and actually show how many people were searching this, how's it being used, what's the depth of the search look like, how far back are they looking in time. You can really optimize your Splunk cluster to get a lot more business value than just naively setting it up and turning it on. >> So you weren't taking a brute force approach, you were smarter about that, but you weren't deduping, you were identifying the data that was not necessary to keep, did I get that right? >> Correct. Yeah, we essentially kind of identified what are highest cost per search logs, which we basically just totaled up how many times each log was searched, and then tried to quantify how much each logs was costing us. And then this ended up being a really good metric for figuring out what we'd want to remove or something that was a candidate for dislodging the data somehow. >> So, you guys gave a talk today. We were talking off camera about pricing, that's not something you guys get involved in, but I would categorize this as sort of how do you get the most out of that asset, called Splunk, right. Is that sort of the >> Exactly. >> theme of your talk, right? >> Yeah. We talk a lot about expected value amongst our team, and in the talk we just gave. And we don't ever think about this as, oh do this so that you can spend less money on Splunk or on your infrastructure that's backing Splunk. Think about is more as we have this right now and we can utilize it more effectively. We can get more value out of what we already have. >> Okay, so, I wonder if we could just talk a little bit about your environment. We know you run on AWS. How does that cloud fit in with Splunk, paint a picture for us, if you would. What does it all look like? >> Yeah, so we have two clusters actually. One is the high value, high quality of service cluster, it's the larger generic, we call it generic prod, and then we have another one, where we kind of have our more verbose, maybe slightly less valuable per log cluster. And this runs on a D2, which is just instant storage. And then the higher performance cluster runs all on a GP2. So it's basically just SSDs. And we also do, we also have four copies of each log and we have two searchable copies of each log, so it's pretty well replicated. >> Dave: Okay, so that's how you protect the data. >> Yeah. >> Is to make copies, in what, in different zones, or? >> Yeah, we have two copies of each log in each availability zone, and then one searchable copy of each log in each availability zone. >> And you guys are cloud natives, all cloud, just out of school and graduate school. So you talked about infrastructure as code. You don't do any of that on-prem stuff, you're not like installing gear. And so it's not part of your lexicon, right? >> No. >> Okay. So I want to do a little editorial thing. Kristen Nicole, our managing editor, sent the note around today saying 101s get the best traffic on the website. So I want to do a little DevOps 101, okay. Even though, it's second nature to you, and a lot of people in our audience know what it is. How do you describe DevOps? Give us the 101 on DevOps. >> Okay so, DevOps is a complicated thing, but and occasionally you see it as like a role on like a job board or something. And that always strikes me as odd, because it's not really a role. Like it's a philosophy moreso. The way that I always see it, is it used to be like pre DevOps, was the software developers make a thing, and then they throw it over the fence, and operations just picks it up. And they're like well what do we do with this, and deploy it, okay, good luck. And so with this result in a sort of an us against them mentality, where the developers aren't incentivized to really make it resilient, or really document it well, and operations and the sys admins are not incentivized to really be flexible and to be really hard charging and move quickly, because they're the ones who are going to be on call for whatever the developers made. DevOps is a we, instead of an us verses them. So for example, product teams have an on-call rotation. Operations and sys admins write code. There are still definitely specializations, but it all comes together in a much more holistic manner. >> Okay, and the ops guys will write code, as opposed to hacking code, messing up your code, throwing it back over the fence, and saying hey your code doesn't work. >> Exactly. >> And then you say well it worked when I gave it to you. And then like you said that sort of finger pointing. >> We are totally done with works on my machine, it's over. No more. >> Okay, and the benefits obviously are higher quality, faster time to market, less food fighting. >> Yup, exactly. In the old model you'd have a new deployment of like a website like maybe once a week or maybe even once a month. Yelp deploys multiple times everyday over and over again. And each one of those is going to include changes from a dozen different engineers. So we need to be agile in that manner, just like with our Splunk cluster. >> I mean you guys are relatively new, four years and two years, perspectively. But these days it's a long time. How would you describe your Splunk journey. Where did it start and where do you want to take it? >> I would say it started, you actually had Kris Wehner on here last year, and he talked a lot about it. He was the VP of engineering at SeatMe. And he kind of got Yelp onto the whole Splunk train. And at that point it was used mostly by SeatMe and everyone at Yelp was like oh this is fantastic, we want to use this. And we started basically migrating it to our VPC. And have generally, we're starting to now get everything going, get all the kinks worked out, and really now we're trying to see where we can provide the most value and make things as easy as possible for our developers to add logs and add searches and get what they need out of it. >> So what kind of use cases are you envisioning, and where are you getting value out of it? >> So we have our operations teams get a lot of value out of it when there's some outage happening. And it's really useful for them to be able to just look at the access logs and see what's going on. And Splunk makes that very easy. And we also get a lot of value out of Yelp's application logs. Splunk has been great for figuring out when something's not right. And allowing us to dig in further. >> So yeah, at the end of the day, as consumers, what does this mean to us, ultimately? Like our searches are faster, searches are more refined, searches are more accurate? What does it mean to me at the end of the day that you're enabling what activity through this technology. >> Dave: Yeah, it'll be more secure? >> Yeah, what does it mean? >> As an end user of Yelp? >> Yes. >> So, I'll give you one example that always sticks out in my mind. So I don't know if you all know this, but you can actually do things like order food via Yelp, you can make appointments via Yelp, even with like a dentist. You can beauty appointments, all sorts of personal services. >> Hair salon came up today actually, when I was looking for a bar. >> Absolutely. That's not supposed to happen. >> Dave: Well that was the Penny Whiskey Cafe. >> You never know, but what ever's next door I don't know. >> Can you get a haircut while you drink? >> Hair salons in the District are pretty impressive. >> I wasn't planning on it, no. But anyway, I'm sorry. >> Anyway, so we work with a lot of external partners to enable all these different integrations, right. So you press start order, and then eventually you see the menu, and then you add some stuff to your cart, and then you have to pay. And so if you haven't given us your credit card information yet, then you have to enter that, and that has to go to a payment processor, the order of course has to go out to the partner who's going to fulfill your order, and so on. So there's this pipeline of many different micro services plus the main Yelp application, plus this partner who's actually fulfilling your order, plus the payment processor, and so on, and so on. And it ends up with this really complicated state machine. So the way that actually works under the hood, to be very simplistic, is there's a unique order identifier that is assigned to you when you start the order. And then that passed through the whole process. So at every step in this process a bunch of events are emitted out of the various parts of the pipeline and into Splunk, where they're then matched to show that your order is progressing. And the order didn't get stuck. Because you know what's really sad is when you order food and it doesn't show up. So we really have to guard against that. >> Yeah, we hate that. >> Yeah, everybody does. So it's really important that we're able to unify this data, from all these different places, Splunk's really great for that, and to be able to then alert on that and page somebody and say hey, something's not quite right here, we have hungry folks. >> So while I have the smartest guys that we've interviewed all week here, you mentioned, >> Please. You mentioned, aw shucks, I know. You mentioned state machine. Are you playing around with functional programming, so called server lists, probably don't like that word either, but what are you doing there? Are you finding sort of new applications in use cases for so called server lists? >> I would say not so much. I don't know, is anyone at Yelp doing that? >> Yeah, there's some Lambda stuff going on. Like core back end is doing that work right now. A lot of our infrastructure is actually build up before the AWS Lambdas were a thing. So we found other ways to do that, and we have this really cool internal platform as a service, it's a docker, and some scheduling stuff on top of that. So a lot of things, like it's really easy to just launch a batch job in there. And it takes away some of the need for the true server lists. >> Well the reason I ask is because people are saying a lot of the state list IoT apps are going to use that sort of Lambda or homegrown stuff. And I'm not sure what the play is for Yelp in Internet of Things. I would imagine there's actually a play there for you guys though, and I'm curious as to the data angle, and maybe where Splunk might fit in. >> I'm certain that we're going to be using Splunk to read data from all of those different components as they're being launched. I know that there's been a couple early forays into the Lambda space that I've seen go by in code reviews and everything. But of course, with Splunk itself we can get data out of those. So as that happens, like we already have all our pipe lining set up. And it'll be pretty easy for them to analyze their self with Splunk. >> What gets you young folks excited these days? What keeps you enthralled and passionate? What do you look for? >> I don't know I think just in general anything that empowers you to get a lot done without having to fight it constantly. And general DevOps tools have been getting really good at that recently. And yeah, I would say anything that empowers you, gives you the feeling that you can do anything really. >> Yeah, all of the infrastructure is code stuff that's going on right now. So one of the pipelines that we use to get data out of Amazon S3, but it passes notifications through this S3 event notifications to Amazon SNS, to Amazon SQS, to our Splunk forwarders. And so that's a very complicated pipeline. And you have to set it all up, it works really well, but here's the cool part. That's all defined in code. And so this means that if you set up a new integration there's a code review. And we have some verification and validation that it's correct. And furthermore, if anything goes wrong with it, we can just hit a button and it recreates itself. That's what gets me happy. When tools get in my way that's not so good. >> Well and it just leaves more time for higher value activities and that's exciting. the transformation in infrastructure over the last five years has just been mind boggling. So, thanks you guys. >> It does. It does give me a lot of pleasure when something can go catastrophically wrong, and then just like, oh wait, it's self healing, all it can take is give three plays fine. And we're all dandy. >> Well to Dave's point, while I was off camera I did a search on the two smartest guys in the room. And it said one is six feet away the other one is seven feet away, so Yelp works, I mean it really does. But thanks for the time. It's been interesting. Next generation, right? So far over us. >> Yeah, I know. It's kind of depressing, but I love it. (laughing) >> Very good, thanks guys. >> Thank you so much. >> Back with more, here on theCUBE at .conf2017. We are live, Washington D.C. >> Dave: I've kind of had it with millennial. (upbeat music)

>> Announcer: Live from Washington, DC, it's the Cube, covering .conf2017, brought to you by Splunk. (busy electronic music) >> Welcome back to the Washington Convention Center, the Walter Washington Convention Center, in our nation's capital as our coverage continues here of .conf2017. We're here at Splunk along with Dave Vellante. I'm John Walls, and kind of coming down the home stretch, Dave. There's just something about the crowd's lingering still, the show for, still has that good vibe to it, late second day, hasn't let off yet. >> Oh, no, remember, the show goes on through tomorrow. There's some event tonight, I think. I don't know, the band's here. >> Yeah, but-- >> Be hanging out, partying tonight. >> But you can tell the Splunkers are alive and well. We have Terry Ramos with us, who's going to join us for the next 15 minutes or so, the VP of Business Development of Palo Alto Networks. Terry, good to see you, sir. >> Good, really appreciate you having me here. >> You bet, you bet, thanks for joining us. You've got a partnership now, you've synced up with Splunk. >> Terry: Yes. >> Tell us a little bit about that. Then we'll get into the customer value after that. But first off, what's the partnership all about? >> Sure. We've actually been partners for about five years, really helping us solve some customer needs. We've got about several thousand customers who are actually using both products together to solve the needs I'll talk about in a minute. The partnership is really key to us. We've invested a ton of time, money, effort into it, we have executive level sponsorship all the way down to sales. In the field, we have reps working together to really position the solution to customers, both us and Splunk and then how we tie together. We're the number one downloaded app for Splunk by far that's a third party, so they have a couple that are more downloaded than us, but for third party, we've done that. We develop it all in house ourselves. For customers out there who think the app's great, I'll talk about the new version coming, I'd love any feedback on what should we do next, what are the next things we should do in the app, because we're really developing this and making this investment for customers to get the value out of it. >> What about the business update for Palo Alto Networks? I mean, can you give us the sort of quick rundown on what's going on in your world? >> Sure. I think most people know Palo Alto Networks has done pretty well. We just finished our FY '17, finished with about 42,500 customers. Revenue was, I think, 1.8 billion, approximately. We're still a very high growth company, and been growing the product set pretty well, from products next-gen firewall, all the attached subscriptions. Then we've got things like the Endpoint Traps now that's really doing well in the market, where customers need help on preventing exploits on the endpoint. That's been a growing market for us. >> It's the hottest space in the data center right now, and everybody wants to partner with you guys. Obviously, Splunk, you go to all the big shows, and they're touting their partnerships with Palo Alto. What do you attribute that sort of success to? >> Customers, truly. I run the partnerships for the company. If we do not have a customer who will be invested in the integration and the partnership, we don't do it. The number one thing we ask when somebody says, I want to partner with you, is, who's the customer, what's the use case, and why, right. Then if we can get good answers to that, then we go down the path of a partnership. Even then, though, we're still pretty selective. We've got 150 partners today that are technology partnerships. But we've got a limited number, Splunk's a big one, that we really invest heavily in, far more than the others, far more than just an API integration, the stuff of getting out to customers in the field the development of apps and integration, those things. >> Talk about, we laugh about Barney deals sometimes, I love you, you love me, let's do a press release. What differentiates that sort of Splunk level of partnership? Is it engineering resources? Is it deeper go to market? Maybe talk about that a little. >> Yeah, I hate Barney partnerships completely. If I do those, fire me, truthfully. I think the value that we've done with Splunk that we've really drawn out is, we've built this app, right, so BD has a team of developers on our team that writes the app for Splunk. We have spent four years developing this app. We were the first company to do adaptive response before it was called adaptive response. You see something in Splunk, you can actually take action back to a firewall to actually block something, quarantine something, anything like that. The app today is really focused on our products, right, through Endpoint, WildFire, things like that, right, so it's very product focused. We're actually putting in a lot of time and effort into a brand new app that we're developing that we're showing off now that we'll ship in about a month a half that's really focused on adversaries and incidents. We have something called the adversary score card where it'll show you, this is what's actually happening on my network, how far is this threat penetrating my network and my endpoints, is it being stopped, when is it being stopped. Then we've got an incident flow, too, that shows that level down to Traps prevented this, and here's how it prevented it. Then if we go back to the adversary score card, it ties into what part of the kill chain did we actually stop it at. For a CISO, when you come in and you say, there's a new outbreak, there's a new worm, there's a new threat that's happening, how do I know that I'm protected? Well, Splunk gives you great access to that data. What we've done is an app on top of it that's a single click. A SOC guy can say, here's where we're at, here's where we've blocked it. >> I guess I've been talking to a lot of folks here the last two days, and we've got a vendor right over here, we're talking, they have a little scorecard up, and they tell you about how certain intrusions are detected at certain intervals, 190 days to 300 and some odd days. Then I hear talk about a scorecard that tells you, hey, you've got this risk threat, and this is what's happened. I mean, I guess I'm having a hard time squaring that all up with, it sounds like a real time examination. But it's really not, because we're talking about maybe half a year or longer, in some cases, before a threat is detected. >> Yeah, so as a company, we've really focused on prevention. Prevent as much as you can. We have a product called WildFire, where we have tens of thousands of customers who actually share data with us, files and other things, files, URLs, other things. What we do is we run those through sandboxing, dynamic analysis, static analysis, all sorts of stuff, to identify if it's malicious. If it's malicious, we don't just start blocking that file, we also send down to the firewall all the things that it does. Does it connect to another website to download a different payload, does it connect to a C&C site, command and control site? What's that malware actually doing? We send that down to the customer, but we also send it to all of our customers. It may hit a target, right, the zero day hit one customer, but then we start really, how do we prevent this along the way, both in the network and at the endpoint? Yeah, there are a lot of people that talk about breaches long term, all that, what we're trying to make sure is we're preventing as much as we can and letting the SOC guys really focus on the things that they need to. A simple piece of malware, they shouldn't be having to look at that. That should be automatically stopped, prevented. But that advanced attack, they need to focus on that and what are they doing about it. >> The payloads have really evolved in the last decade. You mentioned zero day. Think about them, we didn't even know what it was in the early 2000s. I wonder if you could talk about how your business has evolved as the sophistication of the attackers has evolved from hacktivist to organized crime to nation state. >> Yeah, yeah. It has evolved a lot, and when you think about the company, 42,500 customers says a lot. We've been able to grow that out. When you talk about a product, something like WildFire that does this payload analysis, when we launched the product it was free. You'd get an update about every 24 hours, right. We moved it down to, I think it was four hours, then it was an hour, 20 minutes, and now it's about five minutes. In about five minutes, we do all that analysis and how do we stop it. Back to the question is, when you're talking about guys that are just using malware and running it over and over, that's one thing. But when you're talking about sophisticated nation states, that's where you've got to get this, prevent it as quickly as you possibly can. >> If we're talking about customer value, you've kind of touched on it a little bit, but ultimately, you said you've got some to deal with Splunk, some to deal with you, some are now dealing with both. End of the day, what does that mean to me, that you're bringing this extra arsenal in? How am I going to leverage that in my operations? What can I do with it better, I guess, down the road? >> Yeah, I think it really comes down to that, how quickly can you react, how do you know what to react to. I mean, it's as simple as that, I know it sounds super simple, but it is that. If I'm a SOC guy sitting in a SOC, looking at the threats that are happening on my network, what's happening on my endpoints, and being able to say, this one actually got through the firewall. It was a total zero day, we had never seen it before. But it landed at the endpoint, and it tried to run and we prevented it there. Now you can go and take action down to that endpoint and say, let's get it off the endpoint, the firewall's going to be updated in a few minutes anyway. But let's go really focus on that. It's the focus of, what do you need to worry about. >> Dave: Do you know what a zero day is? >> You've kind of, yeah, I mean, it's the movie, right? >> He's going, no, no, there was a movie because of the concept-- >> Because of the idea. >> David's note, there's been zero days of protection. But you can explain it better than I can. >> Yeah, zero day means it's a brand new attack, never seen before, whether it be-- >> Unique characteristics and traits in a new way that infiltrate, and something that's totally off from left field. >> When you think about it, those are hard to create. They take a lot of time and effort to go find the bugs in programs, right. If it's something in a Microsoft or an Oracle, that's a lot of effort, right, to go find that new way to do a buffer overflow or a heap spray or whatever it is. That's a lot of work, that's a lot of money. One of the things we focused on is, if we can prevent it faster, that money, that investment those people are making is out the window. We really, again, are going to focus on the high end, high fidelity stuff. >> The documentary called "Zero Days," but there was, I don't know how many zero day viruses inside of Stuxnet, like, I don't know, four or five. You maybe used to see, the antivirus guys would tell you, we maybe see one or two a year, and there were four or five inside of this code. >> Loaded into one invasion, yeah, yeah, yeah. >> It's the threat from within. I mean, one of the threats, if I recall correctly, was actually, they had to go in and steal some chip at some Taiwanese semiconductor manufacturer, so they had to have a guy infiltrate, who knows, with a mop or something, stick a, had to break in, basically. These are, when you see a payload like that, you know it's a nation state, not just some hacktivist, right, or even organized crime doesn't necessarily have the resources for the most part, right? >> It's a big investment, it is. Zero days are a big investment, because you've got to figure it out, you may have to get hardware, you have to get the software. It's a lot of work to fund that. >> They're worth a lot of money on the black market. I mean, you can sell those things. >> That's why, if we make them unusable fairly quickly, it stops that investment. >> We were talking with Monte Mercer earlier, just talking about his comments this morning, keynotes about you could be successful defending, right. It's not all bets are off, we're hopeless here. But it still sounds as if, in your world, there are these inherent frustrations, because bad guys are really smart. All of a sudden, you've got a whole new way, a whole new world that you have to combat, just when you thought you had enough prophylactic activity going on in one place, boom, here you are now. Can you successfully defend? Do you feel like you have the tools to be that watch at the gate? >> I'd be a liar if I say you can prevent everything, right. It's just not possible. But what you've got to be able to prevent is everything that's known, and then take the unknown, make it known as quickly as possible, and start preventing that. That's the goal. If anybody out here is saying they prevent everything, it's just not true, it can't be true. But the faster you take that unknown and make it known and start preventing it, that's what you do. >> Well, and it's never just one thing in this world, right? Now there's much more emphasis being placed on response and predicting the probability of the severity and things of that nature. It really is an ecosystem, right. >> Terry: It is, that's what I do. >> Which is kind of back to what you do. How do you see this ecosystem evolving? What are your objectives? >> I think that from my standpoint, we'll continue to build out new partnerships for customers. We really focus on those ones that are important to customers. We recently did a lot with authentication partners, right, because that's another level of, if people are getting those credentials and using them then what are they doing with them, right? We did some new stuff in the product with a number of partners where we look at the credentials, and if they're leaving the network, going to an unknown site, that should never happen, right? Your corporate credentials should never go to some unknown site. That's a good example of how we build out new things for customers that weren't seen before with a partner. We don't do authentication, so we rely on partners to do that with us. As we continue to talk about partnership and BD, we're going to continue to focus on those things that really solve that need for our customer. >> Well, I don't know how you guys sleep at night, but I'm glad you do. >> Dave: No, we don't. What do you mean? I'm glad you don't. >> It's 24/7, that's for sure. >> Terry: Yes. >> Terry, thanks for being with us. >> Thank you very much. >> We appreciate the time, glad to have you on the Cube. The Cube will continue live from Washington, DC, we're at .conf2017. (busy electronic music)

>> Announcer: Live from Washington DC, it's theCUBE, covering .conf2017, brought to you by Splunk. >> Well good morning, welcome to day two, Splunk .conf2017 here in Washington DC, theCUBE very proud to be here again for the seventh time I believe this is. John Walls, Dave Vellante. Good morning, sir, how are you doing, David? >> I'm doing well thank you. >> Did you have a good night? >> Yeah, great night. >> DC, I know your son's here >> Walked round the district a little bit, yeah, it was good. >> It's good to have you here. >> At the party last night upstairs, (John laughs) talked to a few customers, trying to find out what they didn't like about Splunk, and it was not a lot of things. >> That would be a short conversation I think. We can do us, we got a couple of keynote rockstars with us this morning, Haiyan Song, who's the Senior Vice President of Security Markets at Splunk. Haiyan, good to see you again. >> Great to see you too. >> John: Thanks for coming back, Monzy Merza, who was the Head of Cybersecurity Research at Splunk. >> Thank you for having me. >> John: Monzy, commanding the stage with great acumen today, good job there. >> Monzy: Thank you. >> Yeah we'll get into that a little bit later. But first off, let's just kind of set the table here a little bit. I know this is a bit of transformational year for you in terms of security, in how you're building out your portfolio, and your services, and so kind of walk us through that. What are you doing, Haiyan, in terms of, I guess being available, right, for whomever, whenever, wherever they are in their security journey you might say. >> Journey is the keyword this year, and nerve center is another one that I highlighted at my super session yesterday. So when I reflect on, this is your seventh year, and when I reflect on the last three years, right, we came in and really talked about the enterprise security product on the first year. And second year we talked about, you know, how UBA adds to the capabilities for better detection and machine learning. We introduced different features. This year we didn't start the conversation on, "Here's a new feature". This year we started the conversation on you need to build a security nerve center. That's the new defense system. And there's a journey to get there, and our role is to enable you on that journey every step of the way. So it's portfolio message, and not only for the very advanced customers, who want machine learning, who want to customize the thread models. Also for people who just started, to say I have the data, and help me get more insight into this, or help me understand how leverage machine data across domains to really correlate and connect the dots, and do investigations. Or what are the important things to set up the basic operations. Very, very excited about the ability, transformational year, as you mentioned, that we can bring the full portfolio to our customer. >> So, Monzy, you've said in your keynote today, defenders can succeed. We talked off camera, you're an optimist. And all we need is this nerve center. So to date, has that nerve center been missing, has it been there and people haven't been able to take advantage of it, have the tools been too complicated? I wonder if you could unpack that a little bit? >> I think what's happened over the course of many years, as the security ecosystem matures and evolves, there are a lot of expert technologies in a variety of different areas, and it's a matter of bringing those expert technologies together, so that the operations teams can really take advantage of them. And you know, it's one thing to have a capability, but it's another to leverage that capability along with another capability and combine the forces together, and really that's the message, that's Haiyan's message, that's been there for the nerve center, that we can bring together. And so when I say the defender has an advantage, I mean that, because I feel that the operations teams, the IT teams, as well as the security teams, have laid out a path, and the attacker cannot escape that path. You have to walk down a certain path to get to something to achieve or to steal or to do whatever, or damage that you need to do. So when you have a nerve center, you can bring all the instrumentation that's been placed along those path to make use of it. So the attacker has to work within that terrain. They cannot escape that terrain. And that's what I mean, is the nerve center allows for that to occur. >> Now you guys have talked for a long time about bringing analytics and security, those worlds together. We've always been a big obviously proponent of that, but spending's just starting to shift, right. They're still spending a lot of money on the perimeter. I guess you have to. We all see the numbers, security investments continue to increase. But where are we today with regard to analytics and being able to proactively both identify and remediate? >> So I just echo what you just said. I'm so pleased to see the industry started the shifts. I think being analytics-driven is really top of mind for people, and using machine learning automation to help really speed up the detection and even response are top of mind. We just did a CISO Customer Advisory Report on Monday, and we always ask when we start the meetings, "Tell us your top of mind challenges, "tell us your top of, you know two investment, and what's the recommendation for Splunk?" And better, faster response, better faster detection and automation and analytics is top of mind for everybody. So for us, this year, extremely, extremely happy to talk about how we're completing that narrative for analytics-driven security. >> Well on that point, you talk about analytics stories, and filling gaps, putting an entire narrative together so that somebody could loosen up the nuts, and they can see exactly where intrusions occur, what steps could be taken, and so on and so forth. So, I mean, dig a little deeper on that for us, maybe Monzy, you can jump on that, about what this concept of analytics stories, and then how you're translating that into your workplace. >> We thought about this for quite some time in terms of drilling down and saying, as analysts and practitioners, what is it that we desire? The security research team at Splunk is composed of people who spend many, many years in the trenches. So what do we want, what did we always want, and what was hard? And instead of trying to approach it from the perspective of, you know, let's just connect the dots, really take an adversarial model approach to say, "What does an adversary actually do?" and then as a defender, what do I do when I see certain things happening? And I see things on the network, I see things on the end point, and that's good, and a lot of people talk about that. But what do I do next? As the analyst, where do I go, and what would be helpful to me? So we took this concept of saying, let's not call them anything else, we actually fought over this for quite some time. These are not use cases, because use case has a very different connotation. We wanted stories because an adversary starts somewhere, adversary takes some action. The defender may see some of that action, but then the defender carries on and does other things, so we really had this notion of a day in the life, and we wanted to capture that day in the life of the prospective of what's important to their business, and really encapsulate that as a narrative, so that when the analysts and security operations teams get their hands on this stuff, they're not bootstrapping their way through the process. They have a whole story that they can play through, and they can say, and if it doesn't make sense to them, that's okay, they can modify the story, and then have a complete narrative to understand the threat, and to understand their own actions. >> So we hear the stat a lot about how long it takes for organizations to identify an intrusion. It ranges I've been seeing, you know, service now flashing 191, I've seen it as high as 320. I'm not sure there's clear evidence that that number's compressing. I think it's early days there, but presumably analytics can help compress that number, but when I think about things like, you know, zero day signatures, and other very high tech factors that are decades old now. Can analytics help us solve those problems? Can the technology, which kind of got us into this mess, get us out of the mess? (Monzy and Haiyan laugh) >> That's such a great point. It is the technology that just made our lives so much easier, as you know, living, and then it complicate it so much for security people. I'll give you a definitive yes, right. Analytics are there to help detect early warning signs, and it will help us, may not be able to just change the stats right now for the whole industry, I'm sure it's changing stats for a lot of the customers, especially when it comes to remediation. The more readily available the data is for you when you are sort of facing an incident, the faster you can get to the root cause and start remediate. That we have seen many of our customers talk about how it was going from weeks to days, days to hours, and that includes not just technology, but also process, right? Process streamline and automating some of the things, and freeing up the people to do the things that they're great at, versus the mundane things, trying to collect the information. So I'm also a glass half full person, optimist, that's why we work together so well, that we really think being data driven, being analytics driven, is changing the game. >> What about the technology of the malware? I think it was at a .conf, I think it was 2013, one of your guest speakers gave us an inside look at Stuxnet. Of course by then it was seven, eight years old, right? But it was fascinating, and you know you read more about it, and you learn more about it, and it's insidious. Has the technology on the defender side, I guess was my real question, accelerated to keep up with that pace? Where are we at with the bad technology and the good technology? Are they at a balance now, an equilibrium? >> I think it's going to be a constant evolutionary process. It's like anything else, you know, whether you look at thieves or whether you look at people who are trying to create new innovative solutions for themselves. I think the key that, this is the reason why I said this morning, is that defenders can have, I think I said unfair advantage, not just an advantage. And the reason for that is, some of the things Haiyan talked about, with analytics, and with the availability of technology that can create a nerve center. It's not so much so that someone can detect a certain type of threat. It's that we know the low fidelity sort of perturbations that cause us to fire an alarm, but there's so many of those that we get desensitized. The thing that's missing is, how do I connect something that is very low threshold, to another thing that's very low threshold, and sequence those things together, and then say, you know, combined all of this is a bad thing. And one of my colleagues uses as example, you know, I go to the doctor and I say you know, "I've got this headache for a long time", and the doctor says, "Don't worry, you don't have a tumor." And it's like, "Okay, great, thank you very much," (Dave laughs) but I still have the headache >> Still have the headache. >> And so this is why even in the analytics stories we use, and even in UBA and in enterprise security, we don't use the concept of a false positive. We use the concept of confidence, and we want to raise confidence in a particular situation, which is why the analytics story concept makes sense, is because within that story, the confidence keeps raising as you go farther and farther down the chain. >> So it's a confidence, but also married, presumably through analytics, with a degree of risk, right? So I can understand whether that asset is a high value asset or John's football pool or something like that. >> John: Which is going very well right now by the way. (all laugh) Bring it on, very happy. >> Now you guys have come out with some solutions for ransomware. I tweeted out this morning that I was pleased at .conf that we're talking about analytics, analytic-driven solutions to ransomware, and not just the typical, when we go these conferences, the air gap yap. Somebody tweeted back to me, said, "Dave, until we see 100% certainty with analytics-driven solutions, we better still have air gaps." So I guess I wanted, if you guys could weigh in on what should people be thinking about in terms of ransomware, in terms of an end to end solution. Can you comment? >> I will add and... So for us, right, even to follow on the last question you had, the advancement in technology is not just algorithms, it's actually the awareness and the mindset to instrument your enterprise, and the biggest information gap in an incident response is, I don't have the data, I don't know what happened. So I think there's lot of advancement happened. We did a war game, you know, tabletop exercise, that was one of the biggest takeaways. Oh we better go back and instrument our enterprise, or agency, so when something does happen, we can trace back, right? So that's number one. So ransomware's the same thing. If you have instrumented your infrastructure, your applications stack, and your cloud visibility, you can actually detect some of the anomalies early. It's never going to solve 100%. So security is all about layered defense, right. Adapting and adding more layers, because nobody is really claiming I can be 100%, so you just want to put different layers and hoping that as they sift through, you catch them along the way. >> I think it's a question of ecosystem, and really goes back to this notion that different people have instrumented their environments in different ways, they deploy different technologies. How much value can they get out of them? I think that's one vector. The other vector is, what is your risk threshold? Somebody may have absolutely zero tolerance for air gaps. But I would, as a research person, I would like to challenge even that premise. I've been privileged to work in certain environments, and there are some people who have incredible resources, and so it's just a question of what is your adversary model that you're trying to protect yourself against, what is your business model for which you're willing to take over that risk? So I don't think there is a too high endpoint, there isn't a single solution for any of these number of things. It really just has to match with your business operation or business risk posture that you want to accommodate. >> You know what, you're almost touching on a point that I did want to hit you up on before you left, about choice, and you know, it's almost like personal, how much risk am I willing to take on? It's about customization, and providing people different tools. So how much leash do you give people? I mean do you worry that if we allow you to do too much tinkering you actually do more harm than good? But how do you factor all that in to the kind of services that you're offering? >> I think that ultimately it's up to the customer to decide what's valuable and what's critical for their business. If somebody wants a complete solution from Splunk, we're going to serve those customers. You heard a number of announcements this week from ES Content updates, to opening up the SDK, you know, with UBA, to the security essentials app releases, and all of those different kinds of capabilities. On the top end of it, we have the machine learning toolkit. If you have experts that want to tinker and learn something more, and want to exert their own intuition and energy on a compute problem, we want to provide those capabilities. So it's not about us, it's about the ability for our customers to exert what is important to them, and get a significant advantage in the marketplace for their business. >> I think it's important to point out too for our audience, it's not just a technology problem. The security regimes in organizations for years has fallen on IT and security practitioners, and we wrote a piece several years ago on Wikibon Research, that bad user behavior is going to trump good security every time. And so it's everybody's responsibility. I mean it sounds like a bromide, but it's so true, and it's really part of the complete solution. You know, I mean, I presume you agree. >> Totally. Going back to the CISO Advisory Board, one of the challenges they pointed out is user accountability. That's one of the CISO's biggest challenges. It's not just technology. It's how can they train the users and make them responsible and somehow hold them accountable. I thought that was a really very interesting insight we didn't talk about before. >> Yeah, you don't want to hear my bad, but unfortunately you do. Well, we were kind of kidding before we got started, we said, "We've got an hour to chat." It seems like it was just a matter of minutes and so thank you for taking time. We could talk an hour, I think. >> Monzy: Oh easy. >> Fascinating subject. And we thank you both for your time here today, and great show. >> [Haiyan And Monzy] Thank you for having us. >> Haiyan: It's always a pleasure to be here. >> You bet, all right, thank you Haiyan and Monzy. Back with more of theCUBE here covering .conf2017 live in Washington DC.

>> Announcer: Live from Washington D.C., it's the Cube. Covering .conf2017. Brought to you by Splunk. >> Welcome back, here on the Cube along with Dave Vellante, I am John Walls. We're live at .conf2017, as Splunk continues with day two of its get together here the nation's capital, Washington D.C. Home game for me, I love it. Dave's up the road in Boston, so, hey, you had to hit the road a little bit, but not as bad as it can be sometimes for you. >> No, I'll take D.C. over Vegas. Sorry, Vegas. >> Yeah, but you travel a lot, man, you do, you're on the road. Chris Kurtz travels a lot, too. He's come with us from Arizona State University, he's a systems architect out there. Chris, always good to see you, we had a chance to visit last year for the first time. >> Yep. >> A member of the Splunk trust. And a gentleman with quite a diverse background, I mean. You supported Mars missions. As far as the... >> The Spirit and Opportunity. >> Facilitated out in Phoenix. Working now, as you said, at Arizona State, but also the Trust. Let's talk about that a little bit, because there was some conversation yesterday from the keynote stage about expanding that group? >> Absolutely. >> Adding 14 new members. And for a lot of people at home, who might not be familiar with the Splunk trust, talk about the concept and how you put it into practice. >> Absolutely, so, the Splunk trust is the organization that Splunk set up as a community leader, as a community activist. Our, kind of, watch word is, is that, "We're not the smartest people in the room, "but we'll be the most helpful." and, so, our purpose is... >> John: I'm not sure about that first part, too, by the way. >> Thank you, very much. >> John: I think you're short-changing yourself. >> So, our organization preface is we act as members of the community to help direct community people who have issues and help them externally, but also, to help Splunk and what direction they should go. "Hey, we see this pain point from a lot of the customers, "this is something that maybe Splunk should concentrate on." We're often given access to betas or even earlier, or, you know, even potential products. It's, "How should we build this, is this something that "you would use? "Is this something that you would like?" Table data sets was a feature that I worked on for a year, that was released last year. You know, "Is this something that you would use, "is this something that you would want?" and, sometimes, you know, users fall through the cracks in the support system and they don't know how to get support help, or they don't know where to get directed, and we can volunteer and say, you know, "Show them where the Splunk answers group is very powerful." There's an app for that, we can show them Splunkbase and help them when those things fall through the cracks. So, we provide community enrichment and support, but we're not an official representative of Splunk, even though we're appointed by Splunk on a year-to-year basis. >> John: There aren't that many of ya, right? >> Well, there's a couple, 42 this time. And, you serve for a year and it can be renewed each year, you reapply. Or you can be volunteered, you know, somebody else can... >> Nominate you. >> Can nominate for us. And there's no guarantee. We, the members of the trust vote and then that goes to Splunk and Splunk makes the final decision. Some companies allow that, some don't, it depends. ASU is very generous and let's me participate and give them my time to the organization. >> And I said ASU, Arizona State University. >> That's what I was thinking. >> I never fully introduced that, I'm sorry. >> What do you have to do to qualify and what's the hurdle? >> So, be the most helpful person in the room, that's what you need to do to qualify. So you need to be a part... You can't work for Splunk, you have to be a partner or a customer, and you need to give to the community in some way. So, you need to give back to the community. You participate on Answers, which is the online, kind of, self-support forum. You need to speak in the community, maybe run a user group, a lot of us do run the user groups. I run the user group in Arizona. And, you need to be respected amongst the community and, people go, you know, "I want to go to them, "they'll help me or at least get me to the right person." >> Is it predominantly or exclusively technical practitioners, or not necessarily? >> This year, they divided us in to, kind of, organizational units, so there's architects, and practitioner, and developer. So, we're all technical, but, this year we're going to have the ability to focus a little more on a specific area. You know, "What do you do for a living, "what do you do with Splunk? "Do you architect with Splunk internally, "do you just provide Splunk practice? "Are you a Splunk developer that makes apps? "How do you use Splunk on a daily basis?" And, again, there are partners as well. So, Aplura and Defense Point, I think, are both tied with four members a piece. So that's one of those things that, you know, they're going out to individual customers and helping them everyday. >> So, it's really taking this notion of a customer advisory board to a whole another level. I mean, it's not a passive, you know, group of people that, maybe, meets once a year. >> Right. >> It's an ongoing, active, organic institution essentially. >> Absolutely, we have quarterly meetings online and at those meetings a different Splunk, sometimes executives, sometimes product managers or engineering managers, you know, come and speak to us. And it can be anything from, "Hey, we're developing this "internal product and are we interested, you know, "is that useful to you?" Or, "What enhancements do you feel the product need?" Or, you know, "This is a new feature we're working on "to look and feel." I was consulted about the conf logo. "Hey, Chris, you're an average customer, "which of these four logos do you think really, you know, "kind of helps set the mood?" And, you know, did they take my advice? Does it really matter, no, but they were willing to just... I'm not associated, I'm not in the bowels of the company. >> So this isn't your logo over here? >> That is actually the one that I chose. >> Oh, excellent, I would assume so, right. >> Who organizes the quarterly meetings? >> So, the quarterly meetings are organized by Splunk in the community. There's a community group that's underneath Brian Goldfarb, who's the Chief Marketing Officer. So, he organizes the quarterly meetings. He gets to herd all the cats, because we're all across the world. You know, you have to figure out a time zone, you have to figure out where, you have to figure out when. But, most of the time, there's some suggestions. "Hey, you know, the engineering manager "for section x would like to speak." But, sometimes it's like, "Yeah, we would like to talk "to the person in charge of Search Head Clustering," for example. "We see some pain points in the community," or something like that, so, it's wide-ranging. But, you know, we're not just a group to rubber stamp anything that Splunk does, but we're also not a group to just sit there and complain about things we don't like. It's really very much a give and take. Splunk is generous and open enough to give us that access, and we take that very seriously. To be able to help guide Splunk in making their product the best it can be. It's an amazing product, I'm an evangelist, have been since I started using it. But, also, to help the customers. If the customers are having a pain point, we're probably going to hear about that first. >> Dave: When did you start using? >> I've been using Splunk for about five years. And when I started using Splunk at ASU, it had been a 50GB license and they'd just bought another 100GB, and it needed re-working, it needed architecting. So, when I came in, our chief information security officer and our VP for operations are the ones who directed me. And I said, "What do you want to grow for?" And they said, "Architect it for a terabyte, "assume it's going to take us several years to get there." So, I rebuilt the current environment and we architected it for a terabyte and here we are, four-and-a-half, five years later, we're at a terabyte. And, we're still growing and we're looking at Cloud, you know, we're looking at other use-cases. I think the biggest ship for us is that, we talked about this briefly last year, is that I work for John Rome, who's the Deputy CIO for Arizona State, and he's in charge of business intelligence and analytics. So, it is an enterprise application for data at ASU. It is not part of the security office, it's not part of operations, it's not part of depth. Those are all customers. And, so, internally those are customers and I think that's an amazing opportunity to say that, "Those are customers of mine." So, I'm not beholden to, you know, building the system so it's only useful for security, or building it so it's only useful for operations. They're my customers, and we avoid any appearance of, "Oh, I don't want to put my data in a security product. "I don't want to put my data in an operations product." Nobody questions putting their data in the data warehouse, that's the appropriate place for the data to go. So, that's the beauty of the system that we've developed, is they're both customers of mine. >> All right, so let's talk about your work at Arizona State, little bit. I don't know the size now, I'm trying to think of it, a huge... >> Chris: We're the largest single university in the United States. >> Probably what, 60,000-70,000? >> Total enrollment 104-110,000. A lot of that's online, I think we have about 78,000 or more at the main campus. But, we're the single largest university in the U.S. There are groups like the University of California that's larger overall, but not single institution. >> So, you know... >> Massive. >> Big project, yeah. Where are you now, then? What have you been using Splunk for that maybe you weren't last year when you and I had a chance to visit? >> Yeah, so, we started using it as a security product. It was brought in to make security more agile in getting that information from the operations and the networking groups, firewalls was the first thing we were brought in for. Now, we're starting to look at other use-cases, we're starting to look at edge cases. "Are we using it for academic integrity?" So, the very beginning so that we're looking at, "If a student is taking a test, are they the person "taking the test?" We're looking at it to make sure the students' accounts are safe and not compromised. We're looking at rolling out multi-factor to the university and being able to protect that. And, we're taking a lot of those functions and pushing them down to our help desk, so the help desk has all of the tools they need to be able to support the student and take care of their issue on the first call. That's really important, we have an amazing help desk organization, amazing care organization. And that's the goal is, it doesn't matter how long the call takes, you do that on the first call. And Splunk is a key portion of that to be able to provide them with the right information. And they don't have to go and try to get somebody from network engineering just to solve the student problem, they can see what the problem is from the beginning. >> Academic integrity, explain that. >> Yeah, so, you know, I don't think that there's any student who doesn't want to do their own work and do the best possible thing they can. But, sometimes, students get in a position where they need some help and, maybe, that isn't always exactly what they should do. So, you need to make sure that the student is taking the test that they're signed up for, that they didn't have any assistance, especially in online classes. We need to keep our degree important and valid, and, obviously, none of our students want to, but occasionally you find somebody who hasn't done exactly what they're supposed to. And we need to be able to validate that. So, we need to be able to validate that someone did what they said they did or did the work that they said they did. It's just like, nobody wants to plagiarize, but, occasionally it does happen and we need to protect ourselves and protect the students. >> And you can do that with data? >> We can absolutely do. >> You can ensure that integrity, how? Explain that a little bit. >> A little bit, yeah. So, we look at where the student logs in from. If the login routinely from Tempe, Arizona and then, suddenly there's a login from someplace else. Oftentimes, that has nothing to do with academic integrity, that has to do with there is an account compromise. We need to protect the students' personal information, both HIPAA and FIRPA. We need to protect their privacy information, just generally available PII. So we look at when they logged in, where they logged in, how they logged in. Did the how-to factor worked? I think academic integrity is really a much smaller portion of that, I think the more thing is we need to protect those students. So, we look at how they logged in, when they logged in, what type of machine they logged in from. I mean, if you're using a Surface and you've been using a Surface to login for months and then, all of a sudden, you login from an iPhone, you might have gotten a new iPhone, but, you know, you might not have. So, we put all those pieces of information, all those launch together to build a case that, "Do we need to reset this user's password for safety?" >> But I think academic integrity's important from the brand as well, because the consumers of your students, the employers out there, they may be leery of online courses. So, to the extent that you can say, "Hey, we've got this covered, we actually can ensure "that academic integrity through data." That enhances the value of the degree and the ASU brand, right? >> Absolutely, we don't think that any student wants to do anything that they're not supposed to. It does happen, you know. >> But even if it's one, right, or even if it's the perception of the employer that it can happen? >> John: The possibility. >> Yeah, and I think that's a really good point, is that we need to protect that brand and we need to protect the students. I think protecting students is the number one thing, protecting employees is the number one thing. Everything else falls from that. >> Okay, what about other student behaviors? I mean, you're sort of trafficking around campus, maybe, food consumption, dorm living, I mean, all these kinds of things that with sensors or, what have you, you could extract reams of data? >> We're doing a lot of that. We're partnering with Amazon to look at the Amazon Echo and using them in dorms to provide them voice interface. "Echo, where is my next class?" Or, "What time does the Memorial Union open?" Or, "How late can I get a pizza," and that type of thing. We want to build an environment that's not only fun for the students, but very powerful, and uses the latest technology. >> Pricing, I want to talk pricing, all right? I dig for the one little wart in Splunk and it's hard to find. But, I've heard some chirping about pricing because pricing is a function of the volume of data. The data curve is growing, it's reshaping. What are your thoughts? What do you tell Splunk about pricing? >> So, a lot of people say, "Man, Splunk is expensive." And, I don't think Splunk is expensive. Once you've achieved a volume, it's got a good pricing structure. I think that anything that Splunk tries to do to change the pricing model is a bad direction. >> Dave: So you like it the way it is? >> I like it the way it is. I believe that we've made an investment in a perpetual-licensed product and I certainly don't think that what we're spending on it, for a maintenance year is a bad thing. And i think that we get a good value for the product. And we're going to continue to use it for years to come. >> I've always felt, like, "Your price is too high," has never been a deal-breaker for software companies. They've generally navigated through that criticism. And it's been, you know, ultimately an indicator of success more than anything else. But, your point is if the values there, you pay for it. Are you able to find ways to save money using Splunk that essentially pay for that premium? >> Absolutely, so one of the very first things we did with Splunk, is we looked at our employee direct deposit, we talked about this briefly last year. We looked at employee direct deposit and we were being targeted by a Malaysian hacking group who was using phishing emails to phish credentials from us. You know, you send an email that looks very much like a university login and says, "You need to login "and change your password or you're not going to be able "to work in an hour." A lot of employees, especially employees in areas that aren't high tech, you know, in the psychology department, they may fill-in that information and then the hackers login and change their direct deposit. And then the university ends up paying the employee again and eating those costs. Our original use-case was on-the-fly, we saved $30,000 in a single payroll run. Pretty easy to pay for Splunk when you do that. And so, that was our very original use-case. And that came from just looking at the data. "Is this useful, where are these people logging in from?" There's a change, you know, and I think that that's very important. The thing I love about Splunk is, because it's schema on demand, because there's no hard schema, and that it's use-case on demand. Is that, every single good use-case in the very beginning was standing around the water cooler, having a drink and saying, "I wonder if combine data set A, "we combine data set B, we come up with something that "nobody was asking about." And now when we something that we can help fix, we can help grow, we can make more efficient. To the question of how you deal with all that data is, you tune, you decide what data is important, you decide what data is unimportant, you clean up the logs that you don't care about. And we spent a year, we didn't buy Splunk for one year, we didn't buy a new license, or didn't buy an expansion license, because we took a year to compact and say, "Okay, all the data we're getting "from this firewall, is that all necessary, "is there anything redundant?" "Does it have redundant dates, does it have redundant "time stamps, et cetera." >> Right. >> And I pulled that information out and that just gave us a little bit of breathing room, and then we're going to turn around and take another chunk. >> Help. >> No schema on right sounds icky but it's profound. >> You mentioned the word, help, again, big word, key word. Chris Kurtz, one of the most helpful guys in the community of the Splunk. >> Thank you very much. >> Thanks for being with us, Chris Kurtz. Back with more, Dave and I are going to take a short break, about a half-hour, we'll continue our coverage here live at .conf2017. (upbeat music)

>> Announcer: Live from Washington, DC it's theCube covering .conf 2017 brought to you by Splunk. >> Welcome back here on theCube the flagship broadcast for Silicon Angle TV, glad to have you here at .conf 2017 along with Dave Vellante, John Walls. We are live in Washington, DC and balmy Washington, DC. It's like 88 here today, really hot. >> It's cooler here than it is in Boston, I here. >> Yeah, right, but we're not used to it this time of year. Brad Medairy now joins us he's an SVP at Booz Allen Hamilton and Brad, thank you for being with us. >> Dave: And another Redskins fan I heard. >> Another Redskins fan. >> It was a big night wasn't it? Sunday night, I mean we haven't had many of those in the last decade or so. >> Yeah, yeah, I became a Redskins fan in 1998 and unfortunately a little late after the three or four superbowls. >> John: That's a long dry spell, yeah. >> Are you guys Nats fans? >> Oh, huge Nats fan, I don't know, how about Brad, I don't want to speak for you. >> I've got a soft spot in my heart for the Nats, what's the story with that team? >> Well, it's just been post-season disappointment, but this year. >> This is the year. >> This is the year, although-- >> Hey, if the Redsox and the Cubs can do it. >> I hate to go down the path, but Geos worry me a little bit, but we can talk about it offline. >> Brad: Yeah, let's not talk about DC Sports. >> Three out of five outings now have not been very good, but anyway let's take care of what we can. Cyber, let's talk a little cyber here. I guess that's your expertise, so pretty calm, nothing going on these days, right? >> It's a boring field, you know? Boring field, yeah. >> A piece of cake. So you've got clients private sector, public sector, what's kind of the cross-pollination there? I mean, what are there mutual concerns, and what do you see from them in terms of common threats? >> Yeah, so at Booz Allen we support both federal and commercial clients, and we have a long history in cyber security kind of with deep roots in the defense and the intelligence community, and have been in the space for years. What's interesting is I kind of straddle both sides of the fence from a commercial and a federal perspective, and the commercial side, some of the major breaches really force a lot of these organizations to quickly get religion, and early on everything was very compliance driven and now it's much more proactive and the need to be much more both efficient and effective. The federal space is, I think in many cases, catching up, and so I've done a lot of work across .mil and there's been a lot of investment across .mil, and very secure, .gov, you know, is still probably a fast follower, and one of the things that we're doing is bringing a lot of commercial best practices into the government space and the government's quickly moving from a compliance-based approach to cyber security to much more proactive, proactive defense. >> Can you get, it's almost like a glacier sometimes, right, I mean there's a legacy mindset, in a way, that government does it's business, but I would assume that events over the past year or two have really prompted them along a little bit more. >> I mean there's definitely been some highly publicized events around breaches across .gov, and I think there's a lot of really progressive programs out there that are working to quickly you know, remediate a lot of these issues. One of the programs we're involved in is something called CDM that's run out of DHS, Continuous Diagnostic and Mitigation, and it's a program really designed to up-armor .gov, you know to increase situational awareness and provide much more proactive reporting so that you can get real-time information around events and postures of the network, so I think there's a lot of exciting activities and I think DHS and partnership with the federal agencies is really kind of spearheading that. >> So if we can just sort of lay out the situation in the commercial world and see how it compares to what's going on in gov. Product creep, right, there's dozens and dozens and dozens of products that have been installed, security teams are just sort of overwhelmed, overworked, response is too slow, I've seen data from, whatever, 190 days to 350 days, to identify an infiltration, nevermind remediate it, and so, it's a challenge, so what's happening in your world and how can you guys help? >> Yeah, you know it's funny, I love going out to the RSA conference and, you know, I watch a lot of folks in the space, walking around with a shopping cart and they meet all these great vendors and they have all these shiny pebbles and they walk away with the silver bullet, right, and so if they implement this tool or technology, they're done, right? And I think we all know, that's not the case, and so over the years I think that we've seen a lot of, a lot of organizations, both federal and commercial, try to solve a lot of the problems through, you know, new technology solutions, whether it's the next best intrusion detection, or if it's endpoint, you know, the rage now is EDR, MDR, and so, but the problem is at the end of the day, the adversaries live in the seams, and in the world that I grew up in focused a lot around counter-terrorism. We took a data-centric approach to finding advanced adversaries, and one of the reasons that the Booz Allen has strategically partnered with Splunk is we believe that, you know, in a data-centric approach to cyber, and Splunk as a platform allows us to quickly integrate data, independent of the tools because the other thing with these tool ecosystems is all these tools work really well within their own ecosystem, but as soon as you start to mix and match best of breed tools and capabilities, they tend to not play well together. And so we use Splunk as that integration hub to bring together the data that allows us to bring our advanced trade-craft and tech-craft around hunting, understanding of the adversaries to be able to fuse that data and do advanced detection and help our clients be a lot more proactive. >> So cyber foresight is the service that you lead with? >> Yeah, you know, one of the things, having a company that's been, Booz Allen I think now is 103 years old, with obvious deep roots in the federal government, and so we have a pedigree in defense and intelligence, and we have a lot of amazing analysts, a lot of amazing, what we call, tech-craft, and what we did was, this was many many years ago, and we're probably one of the best kept secrets in threat intelligence, but after maybe five or six years ago when you started to see a lot of the public breaches in the financial services industry, a lot of the financial service clients came to us and said, "Hey, Booz Allen, you guys understand the threat, you understand actors, you understand TTPs, help educate us around what these adversaries are doing. Why are they doing it, how are they doing it, and how can we get out in front of it?" So the question has always been, you know, how can we be more proactive? And so we started a capability that we, or we developed a capability called cyber foresight where we provided some of our human intelligence analysts and applied them to open-source data and we were providing threat intelligence as a service. And what's funny is today you see a lot of the cyber threat intelligence landscape is fairly crowded, when I talk to clients they affectionately refer to people that provide threat intelligence as beltway book reporters, which I love. (laughter) But for us, you know, we've lived in that space for so many years we have the analysts, the scale, the tradecraft, the tools, the technologies, and we feel that we're really well positioned to be able to provide clients with the insights. You know, early on when we were working heavily in the financial services sector, the biggest challenge a lot of our clients had in threat intelligence was, what do I do with it? Okay, so you're going to send me, what we call a Spot Report, and so hey we know this nation-state actor with this advanced set of TTPs is targeting my organization, so what, right? I'm the CISO, I'm the CIO, should I resign? Should I jump out the window? (laughter) What do I do? I know these guys are coming after me, how do I actually operationalize that? And so what we've spent a lot of time thinking about and investing in is how to operationalize threat intelligence, and when we started, you kind of think of it as a pitcher and a catcher, right? You know, so the threat intelligence provider throws those insights, but the receiver needs to be able to catch that information, be able to put it in context, process it, and then operationalize it, implement it within their enterprise to be able to stop those advanced threats. And so one of the reasons that we gravitated toward Splunk, Splunk is a platform, Splunk is becoming really, in our mind, one of the defacto repositories for IT and cyber data across our client space, so when you take that, all those insights that Splunk has around the cyber posture and the infrastructure of an enterprise, and you overlay the threat intelligence with that, it gives us the ability to be able to quickly operationalize that intelligence, and so what does that mean? So, you know, when a security operator is sitting at a console, they're drowning in data, and, you know, analysts, we've investigated tons of commercial breaches and in most cases what we see is the analyst, at some point, had a blinking red light on their screen that was an indicator of that particular breach. The problem is, how do you filter through the noise? That's a problem that this whole industry, it's a signal to noise ratio issue. >> So you guys bring humans to that equation, human intelligence meets analytics and machine intelligence, and your adversary has evolved, and I wonder if you can talk about that, it's gone from sort of hacktivists to organized crime and nation-states, so they've become much more sophisticated. How have the humans sort of evolved as well that your bridge to bear? >> Yeah, I mean certainly the bear to entry is lower, and so now we're seeing ransomware as a service, we're seeing attacks on industrial control systems, on IOT devices, you know, financial services now is extremely concerned about building control systems because if you can compromise and build a control system you can get into potentially laterally move into the enterprise network. And so our analysts now not only are traditional intelligence analysts that understand adversaries and TTPs, but they also need to be technologists, they need to have reverse engineering experience, they need to be malware analysts, they need to be able to look at attack factors in TTPs to be able to put all the stuff in context, and again it goes back to being able to operationalize this intelligence to get value out of it quickly. >> They need to have imaginations, right? I mean thinking like the bad guys, I guess. >> Yeah, I mean we spend a lot of time, we've started up a new capability called Dark Labs and it's our way to be able to unlock some of those folks that think like bad guys and be able to unleash them to look at the world through a different lens, and be able to help provide clients insights into attack factors, new TTPs, and it's fascinating to watch those teams work. >> How does social media come into play here? Or is that a problem at all, or is that a consideration for you at all? >> Well, you know, when we look at a lot of attacks, what's kind of interesting with the space now is you look at nation-state and nation-state activists and they have sophisticated TTPs. In general they don't have to use them. Nation-states haven't even pulled out their quote "good stuff" yet because right now, for the most part they go with low-hanging fruit, low-hanging fruit being-- >> Just pushing the door open, right? >> Yeah, I mean, why try to crash through the wall when you can just, you know, the door's not locked? And so, you know, when you talk about things like social media whether it's phishing, whether it's malware injected in images, or on Facebook, or Twitter, you know, the majority of tacts are either driven through people, or driven through just unpatched systems. And so, you know, it's kind of cliche, but it really starts with policies, training of the people in your organization, but then also putting some more proactive monitoring in place to be able to kind of start to detect some of those more advanced signatures for some of the stuff that's happening in social media. >> It's like having the best security system in the world, but you left your front door unlocked. >> That's right, that's right. >> So I wonder if, Brad, I don't know how much you can say, but I wonder if you could comment just generally, like you said, we haven't seen their best pitch yet, we had Robert Gates on, and when I was interviewing him he said, "You know, we have great offensive posture and security, but we have to be super careful how we use it because when it comes to critical infrastructure we have the most to lose." And when you think about the sort of aftermath of Stuxnet, when basically the Iranians said hey we can do this too, what's the general sort of philosophy inside the beltway around offense versus defense? >> You know, I think from, that's a great question. From an offensive cyber perspective I think where the industry is going is how do you take offensive tradecraft and apply it to defensive? And so by that I mean, think about we take folks that have experience thinking like a bad guy, but unleash them in a security operation center to do things like advanced hunting, and so what they'll do is take large sets of data and start doing hypothesis driven analytics where they'll be able to kind of think like a bad guy and then they'll have developers or techies next to them building different types of analytics to try to take their mind and put it into an analytic that you can run over a set of data to see, hey, is there an actor on your network performing like that? And so I think we see in the space now a lot of focus around hunting and red teaming, and I think that's kind of the industry's way of trying to take some of that offensive mentality, but then apply it on the defensive side. >> Dave: It just acts like kind of Navy Seal operations in security. >> Right, right, yeah. I mean the challenge is there's a finite set of people in the world that really, truly have that level of tradecraft so the question is, how do you actually deliver that at any level of scale that can make a difference across this broader industry. >> So it's the quantity of those skill sets, and they always say that the amazing thing, again I come back to Stuxnet, was that the code was perfect. >> Brad: Yeah. >> The antivirus guy said, "We've never seen anything like that where the code is just perfect." And you're saying it's just a quantity of skills that enables that, that's how you know it's nation-state, obviously, something like that. >> Yeah, I mean the level of expertise, the skill set, the time it take to be able to mature that tradecraft is many many years, and so I think that when we can crack the bubble of how we can take that expertise, deliver it in a defensive way to provide unique insights that, and do that at scale because just taking one of those folks into an organization doesn't help the whole, right? How can you actually kind of operationalize that to be able to deliver that treadecraft through things like analytics as a service, through manage, detection, and response, at scale so that one person can influence many many organizations at one time. >> And, just before we go, so cyber foresight is available today, it's something you're going to market with. >> Yeah, we just partnered with Splunk, it's available as a part of Splunk ES, it's an add-on, and it provides our analysts the ability to provide insights and be able to operationalize that within Splunk, we're super excited about it and it's been a great partnership with Splunk and their ES team. >> Dave: So you guys are going to market together on this one. >> We are partnered, we're going to market together, and delivering the best of our tradecraft and our intelligence analysts with their platform and product. >> Dave: Alright, good luck with it. >> Hey, thank you, thank you very much, guys. >> Good pair, that's for sure, yeah. Thank you, Brad, for being with us here, and Monday night, let's see how it goes, right? >> Yeah, I'm optimistic. >> Very good, alright. Coach Brad Medairy joining us with his rundown on what's happening at Booz Allen. Back with more here on theCube, you're watching live .conf 2017.

>> Man: Live from Washington DC it's the Cube. Covering .conf2017, brought to you by splunk. >> Welcome back to Washington DC, Nations capital. Here for dotconf2017 as the Cube continues our coverage. The flagship broadcast of silicon idol tv. Along with Dave Alonte, I am John Walls. Glad to have you with us after we've had a little lunch break. Feeling good? >> Feel great, good conversation with customers, dug into the pricing model, got some good information. >> What did you learn at lunch? >> Well talk about it at the end of the day. >> Alright, good, look forward to it. Let's talk healthcare right now. Derek Merck is with us right now. He is the director of computer vision and imaging analytics at the Rhode Island Hospital. Which is the teaching hospital for Brown University. Derek thanks for joining us here on the Cube. Good to see ya. >> Absolutely, very excited to be here. >> So, well and as are we to have you. Director of computer vision and image analytics, so let's talk about that. What falls under your portfolio, and tell us where does Splunk come into that picture? >> It's been an interesting journey, Rhode Island hospital is a huge clinical service. Takes really good care of the people of Rhode Island. I'm in diagnostic imaging, so I work with all the CT scans, the MR's, radiography, ultrasonography, and what I try to do is automate the data that is coming off all of these machines as much as possible. So, you know typically the patient will come in, they'll get imaged for some reason, the physician will take a look at that image and make a diagnosis, and then that image goes into an archive. It may be used again later if the patient comes back but other than that it is not really used at all. With these sort of emergence of computer vision access to training images, sets of data, has become really critical. Diagnostic imaging has become really interested in taking better account of what imaging they have so that they can try to answer questions like what's alike about these images. What is different about these images, and automate diagnosis. What's similar about all the images of patients who have cancer, versus patients who don't have cancer. Which is basically what a radiologist job is, is to go and look at this patients image and figure out does this patient have cancer or not. SO that is the way you would teach a computer how to do it in an automated fashion. SO I spent a lot of time trying to figure out how do you keep, how do you take, keep better track of what is available and be able to ask these sort of population based questions about what we have in our portfolio of data, our data portfolio. I spent a lot of time writing systems by hand in python, or other kinds of scripting tools. I spent a lot of time trying to interface with the hospital informatics systems, the electronic medical record. The electronic medical record again really meant for taking care of patients it is not meant for population analytics. We ended up basically building our own health care analytic system just to keep track of what we had. What were the doctors saying about different cases. Show me all the cases where the doctors think that some particular thing happened. And be able to ask these questions in real time, generate huge data sets, anonymize them, run them through computer vision algorithms, train classifiers. Diagnostic imaging is really excited about this kind of technology. There has been a lot of interesting side projects as well. One of the most, one of the things that administration is the most interested is because of these kinds of systems we are keeping a lot better track of radiation exposure, per image, so the CT scanners will tell you how much radiation was used for an individual study. But again our analytic systems historically you have no way of saying what's the average? What's high, what's low? Its months of latency, six months of latency between when you run a scan and when American College of Radiology comes back and says some of your scans were a little high in radiation exposure. Whereas now because we keep track of all this data we have this real time dashboards and that is the kind of thing we use Splunk for. WE keep track of all the data we are collecting and then we create these dashboards and give them to people who haven't had access to this kind of analytics before. For looking at utilization, optimizing work flow, things like that. >> I am just kind of curious when you mention like x-rays and maybe Dave you know more about this than I do. But it seems like it is kind of a standard practice you have a certain amount of exposure for a certain amount of test, and that data I don't know how but it sounds like it is more critical to have that kind of data than someone a layman might think. I was curious of the analytics of that. What are you using to determine there in terms of that exposure? >> There's always a trade off with radiation based imaging. There is a lot of non radiation based imaging. Like you may have heard of magnetic resonance imaging, or MR. Those are thought to be perfectly safe. You can get MR's all day long. If fact they do give MR's to people all day long for research purposes sometimes. >> You climb in the tube, I don't want to climb in the tube. >> You get a little claustrophobic >> They are expensive >> That is the thing, we don't have very many of them. They are very slow but they're safe. Ultrasounds very safe, we give ultrasounds to pregnant women all the time very safe, but they don't give you very quality images back. They give you a very small field of view and things are wiggling around. A CT scan is super fast and it gives a physician all the information they need in a snap shot. CT scanners are so fast now they can freeze your beating heart. They can make a revolution around your body of thickness so they can capture your heart while it is in motion. You know like with anything if you have a camera and you take a picture of someone running across the screen you don't see the person you just see this sort of blur, right? Now with modern fast aperture cameras you can take a picture of nutrinos and things that are impossibly fast. I don't know that that's actually true. You might wand to edit that out. (laughing) >> But conceptually >> A CT scan is the same sort of thing. Your heart is beat all the time, your lungs are moving all the time. Your bowls are moving all the time. Your blood is coursing through your veins all the time. It is so fast it can freeze it and give you this volumetric data back. They use that for all kinds of different things. They're not able to do with other kinds of imaging modalities The downside is that they're potentially somewhat dangerous, right? People have known since the 1890's when x-rays were first discovered by Wilhome Rankin that if you put somebody under an x-ray beam for too long, your hair will fall out, you'll get skin burns, all kinds of things that these early pioneers of x-ray did to themselves without realizing it. Documenting all of these problems that can happen, and a CT can uses ionizing radiation if you get too many CT scans you'll get skin reactions, or other kinds of things. It is really important to keep track of the risk to benefit ratio there. People give you a CT scan if you fall down and you hurt your head. They give you a CT scan cause they're worried that you are going to die if you don't get the CT scan. Along with that is this idea of how do you track how many CT scans an individual patient gets in a year. Right now the hospital has a hard time keeping track if somebody comes into the emergency room of automatically identifying oh this patients already had six CT's should we put them in line for a MR instead of another CT. Again these are the kinds of things that we are able to get at through using, through better management of our data and organization of our data. >> You mentioned that you're doing more of this real time analysis, Splunk is obviously a tool that helps do that. Other tooling, are you using cloud based tools? >> We have to be really careful about cloud based stuff. There is this protected health information that everyone's really concerned about. Working with data at the hospital is really walking a fine line you need to be very conscious of security. There really reluctant to let non anonymized data out to cloud sources for storage. There are some ways of getting around that, but basically we run all of our servers in house. There's a couple of big data centers down in the basement of the hospital. Mostly they have clinical duties but we have a number of research servers that are installed down there as well. They're managed by the same IT staff in this sort of hardened architecture. I actually can't do any work from home which is an unusual kind of experience, I am used to being able to log in remotely. >> Oh darn (laughing) >> Or you spend too much time on the job. >> Some times you'd like to >> I'm ambivalent about it, there's goods and bads about it. >> So how do you deal with that streaming infrastructure and real time analysis. Do you guys sort of build your own? Any kind of resource tools, or >> I use a lot of open source tools. Traditionally the hospital wants to pay for everything. They feel like if they pay for things then it comes with uptime guarantees. When I build my systems though, because I'm working on shoestring budgets, And because I believe in open source. I use open source where ever I can. I wanted to mention we're actually for a lot of the work that we do supported through Splunk for good. So I don't pay for a full Splunk license, Cory Marshal who runs Splunk for good, has sort of recognized the value of some of the stuff that we're doing with dealing with non traditional data. It's not the sort of standard things that the other people who are working in the healthcare space with splunk are working with. We are working with imaging data. We are working with patient bedside telemetry data, you know the EKG signals and the heart rate signals. And aggregating all this stuff in to one place to make more sensible alerts and alarms. Oh this patient set off an alarm three times in the last hour I should send a page to the nurse who is taking care of this person. It's different that the kind of business optimism that I think a lot of people in the healthcare space are using splunk for. >> SO you have your core mission around diagnostic imaging. As we sort of touched on you have all these other peripheral factors in your industry. The affordable care act, obviously there's HIPPA, there's EMR, there's meaningful use. How much does that affect your mission? Does it get in the way? Is it something you have to be cognizant of like constantly, obviously HIPPA. Other factors? >> I try to just be cognoscente, I try not to let anything get in my way. Almost all of these things that you talk about they're really meant to protect the patient. I make sure that everything that I do is working with data is that we are anonymizing things, were using data securely, and we are trying to help the patients. I think I just have this moral check in my head of what is what I am doing right now good for my department, good for my institution, good for my patient. Then because I am aware of all these other rules they are very complicated and hard to navigate. At the end of the day I can say I understood that rule, I followed that rule, and what I did was the appropriate thing to do. >> It's like house rules. >> Yeah >> Okay, talk a little bit more about splunk, how are you using it, what it does for your mission, for your operation. >> What I came to the conference this year to talk about is this dose management system that we built that I think is really important. We've had vendors coming in and telling us that medicare isn't going to pay hospitals, or is going to reduce reimbursement to hospitals who can't prove that they're using ionizing radiation imaging appropriately. So what does that mean? No body quite knows exactly what that means. How do I tell whether my hospital is adhering to these rules that are ill defined and these vendors are coming in and they're trying to sell us solutions that are like a hundred thousand dollar a year licenses. Administration is taking this seriously, they're trying to figure out which of these vendors are we going to give money to. In the mean time a bunch of the CT technology staff and I basically put together a system that answers all these questions for them using Splunk. We use splunk to collect meta information about how all the scanners system wide are being use. We have 12 CT scanners, they shoot 90,000 different studies every year. Each one of those studies may be hundreds or even thousands of slices of data in these volumetric data sets. It's a huge amount of data to keep track of. Your not using Splunk to keep track of the imaging per se. Your using splunk to keep track of what imaging you collected. So it is a small fraction, it is just the metadata about each one of the studies. That metadata comes with a bunch of interesting information about what the radiation exposure for each one of those studies was. Splunk has these wonderfully adaptable easy to use tools. That once we covert our strange dicom, device independent communications in medicine data, we flatten it, normalize it, turn it into generic data, it is Json, it's dictionary files. Then splunk has these great tools that can be applied instead of to business analytics and optimization to image analytics and optimization. We build our dashboards on top of splunk to show per institution what was the average dose? Per protocol, per body type, you can track which technologist have the lower doses and higher doses. We found all kinds of interesting things. My favorite story the chief technologist was just telling me. I was putting together my slides for this presentation that I did here about this. I said we need an example of a does outlier. Some time when we had a higher than expected radiation event. We never have dangerously high radiation events. >> Good caveat, thank you. >> All the machines care about is whether you're harming some one and we never harm anyone. The machines don't track, this one is a little higher than you would expect it so that you can say why is that, what happened there? But now we do using our splunk dashboards. So I asked him can you get me an example for my slide deck. He literally just looked over to the monitor that he had open and he says oh right here. Here is a patient who had a 69. These numbers are irrelevant, they're supposed to be 50. He knows what the numbers are supposed to be, to me numbers are just numbers. This patient had a 69 and he picks up the phone, this was 5 minutes ago, he calls down to the control room. He says I'm not blaming anyone but why did Mrs So and So have a little bit higher radiation dose? 69 is not dangerous by the way, alarms don't go off until like 75 or 80 or something like that. So he just called and he asked what was going on with this patient. She had a dislocated arm. Okay I understand. This was a head scan, I was like Scott what does a dislocated arm have to do with a head scan? He said well she went through the CT bore with her arm up over her head which is not the way but it was the only way she would tolerate. So the CT thought she was this big and it had to raise the amount of radiation that it was putting into her to go through a larger object. So he documented that, he put it down, and again we used splunk for ticketing for outlier identification. So he put this one into the outlier identification database that we have, he picked other for the reason because we don't have a drop down menu with dislocated arm. Marked it as closed and it is justified, so when the JCO Joint commission on hospital accreditation comes trough and they say well what do you do to manage your higher than expected radiation exposures? We can both say well we never have unsafe radiation exposures it is all documented right here. When it is higher than usual this is the way we document it, and here are examples of ten or twenty of these odd instances where something happened. Either it was completely justified like this lady where the machines were used appropriately, that was appropriate. Or very occasionally we'll find something strange like an improper head holder was being used at one site for a while. It was resulting in these head CT's should usually be around 45 or 50 and instead they were 55 or 60. They went and they took the metal head holder and replaced it with a carbon fiber head holder that they should have been using and then all of a sudden our doses came down, and we documented it. >> It was a dislocated arm, let's leave it at that alright and we are happy with that. Derek thanks for being with us >> Oh absolutely >> Appreciate the time here on the cube and glad to have you here. Continued good luck with your work at Rhode Island. >> Thank you very much, you guys have a good day. >> Very good thank you. Derek Merck joining us here on the cube. We'll continue live from Washington DC right after this. (upbeat music)

>> Narrator: Live from Washington D.C. It's The Cube covering .Conf 2017. Brought to you by Splunk. >> Welcome back to Washington D.C., the Cube continue our coverage here of .Conf2017. It's the Splunk get together here in Washington D.C. We're at the Washington convention center where they have a record crowd, 7,000+ everyone having a splunking good time you might say. Dave Alante, John Walls here and we're joined by a couple of gentlemen who work with TransAlta. Kent Farries on the far left, who's a senior analyist working the security intelligence analytics as well at TransAlta Kent good morning to you sir. I guess good afternoon, we've crossed that threshold haven't we? And Ikenna Nwafor who's a senior information security specialist at TransAlta as well. So good morning to you. >> Thank you good morning to you. >> Kent maybe you could just tee us up a little bit about TransAlta. Tell us a little bit about what core function, what you all are up to and then how the two of you are helping that mission along it's way. >> Sure, TransAlta is a well-respected power generator and wholesale marketer of electricity. It's been in business for over 100 years. We're based out of Calgary, Canada and we have operations in the United States as well as Australia. Myself and Ikenna are part of the security team based out of Calgary and then we also have off shored or outsourced some of the security operations and our function. >> Which I imagine is vast. Right, I mean you've got you know, you're primary mission obviously security, I would assume of the grid, distribution of power. >> Kent: You are correct. >> That's your number one focus. Right, so talk about the complexities of that in general for our audience who may not be familiar with your particular business but you obviously can imagine the nuances and the sensitivities that you have to deal with. >> Kent: So do you want to? >> Ikenna why don't you take that. >> I think they found out that we are in the prior generation business, makes us a critical infrastructure. And that means working and having ties to the grid makes it very critical that we protect our critical information systems from the threat landscape currently in security so it's a vast responsibility for the team, and we have regulatory requirements we need to abide by, things around (inaudible) and compliance requirements so that's really a very daunting task for us to mate with from a security standpoint. >> Right so it's critical infrastructure, that is distributed in it's nature, so it's high value, you're a target. You got to wake up every day knowing that. >> Yeah sure. >> Okay, so maybe take us through sort of your Splunk journey and what role it played kind of the before and after and how has it affected your business? >> I'll take that. So in the mid-2000s, we did security and everything but it wasn't really a key focus of senior manaagement or anything, it wasn't a lot of real breeches, most of the stuff that was going on was a nuisance, right? Out of the marketplace. >> Dave: Kind of hacktivists. >> Yeah, and we dealt with it, a lot of it still wasn't really coming through the internet, it was still coming through other means. So it wasn't at the forefront, even though we tried in say 2006 to make sure that security was at the forefront management wasn't quite ready at that time. Wasn't big breaches or anything. Around 2009 is our first introduction to what we call the SIEM, Security Information Event Management Solution, basically log management. We implemented that in 2009, and then we had that running for about five years until about 2014, but we started to lose some confidence in that tool, it just didn't give us the information that we wanted or needed to properly detect, respond to today's threats. So we stumbled upon Splunk, it took a little while to actually buy it. One of the system engineers tried to sell it to us we said nah, come back later. Nah, no, I don't even know what it is. And then finally I actually spun it up a proof of concept and I go this thing's amazing. Everything I ever thought of doing, I can actually do with this tool. This is wow. So took the POC, sold it to management, come January 2015 we implemented it, we hired the company out of Ontario to help stand it up, and bring all the data in. It was amazing and we had everything we ever wanted. It blew away our previous security information management system. >> So the SIEM fell short, you said because it didn't really give you the information you needed. Was it also a case of it was just too much information? >> It was difficult to use, so we actually went on training when we implemented the original one in 2009. So two weeks of training, down in the U.S., come back, architect still had a consultant help us stand it all up. But we couldn't build the use cases that we really needed. We were happy at the time, just to get log data, but there's no data enrichment or good correlation capabilities or it was super super difficult to implement. You couldn't search something like Splunk Answers, which you can today. I need to Google anything and the answer's out there around Splunk which is just the community's phenomenal. >> So at the time you didn't know what you didn't know and then once you saw Splunk, it sort of changed your vision of what was possible but so you said it was amazing but why is it amazing, what is it about Splunk that the SIEM tools don't do? >> I think to Kent's point, part of the challenge we had with the previous SIEM tool was the fact that it required a whole lot of work to even get a single simple use case in place for our security. Where as when we had Splunk in place, one is onboarding data logs from various sources was really really dead simple. The initial set up was within a day or half a day to basically replicate what we had from our previous SIEM, which was really fast. And then the other thing is Splunk provided a whole lot of flexibility where you really didn't need to go for some two weeks training to actually get going initially. And through the period we've had Splunk, we've seen that there's been a lot of things we've been able to achieve that we couldn't accomplish when we had our previous SIEM. >> Like for example, I mean what's it letting you do now that day to day that you couldn't do before? >> So if you buy a SIEM, typically it's in a vertical. It's serving one purpose. When you implement that it's usually the security team that gets to use it, and you got to bring in all this log data. Your other teams, say in operations or whatever, they want their log data too but they're in a totally different system, with Splunk it's a platform for us. So we bring all the data in, it's consumed by the IT security, it's consumed by dev ops and operations. So the same amount of data that you bring in say from an endpoint, we'll use it for detection forensics type capabilities, but the desktop team can use it as well to see is there application problems, desktop problems. Do I have drivers or something on a desktop that needs to be updated. We can be more proactive and help out the user so for us it's like a fabric. The foundation so once we've got that laid, yep? >> So all these use cases that you're laying out, previously you would have to essentially customize for each use case, is that right? >> Previously we couldn't even do some of them and then the other thing is we would most likely need to engage a third party contractor to assist us with that. Somebody who is a specialist in that field, whereas with Splunk some of the key things that helped us with Splunk is that maybe in the process of responding to a security event. We could think up ideas of we need this information, how do we get it? And on the fly we can easily build up a use case within minutes to get the information we need from Splunk we don't need to consult anyone, we don't need to read up manuals and for instances here we really need information to help us with building up the use cases going to like Kent mentioned earlier, going to Splunk Answers, you most likely get, so there's a broader community with Splunk that really helps with giving you the information you need to help you in your Splunk journey. >> Okay, so it's more intuitive I'm hearing and it's got the data that you need. >> Exactly. >> And so but even if you had an equivalent of Splunk Answers for your previous SIEM tool, you're saying you wouldn't have been able to because it's not flexible enough to architect what you needed? >> Ikenna: Exactly. >> And I'd like to just put a comment in there. I've been in IT for a long time. And I've always wanted to say, build my own database to bring stuff in and do different things, so I'm pretty good at scripting, but I don't want to be designing a full application or whatever. When I saw Splunk and how easy it was to onboard data, I go wow, this is amazing. So when I brought the consultant in and we stood up our original infrastructure, not only did we stand up ES within two weeks, enterprise security, we also onboarded all my custom stuff, like PowerShell scripts, everything else so we brought in acting directory data into Splunk and made it a PVR for us. So we go back in time and look at any one who their manager was and everything that's happened to that account at that exact time and we can correlate that with IP information everything else. As well we have all of our floors are mapped out. We know where you are in any given building or facility. So we were able to do that at a point in time, 'cause there's a PVR. We don't lose that information. And that's data enrichment, and we couldn't do that in the old system. >> So you had a time machine for your machine data. >> Kent: Yeah, it is, absolutely. >> Okay, cool. Now back to your business a little bit, so there's a physical security aspect of what you guys have to worry about as well. And I'm wondering if you could talk about that and how just the sort of attitude you touched on this before, Kent but how the attitudes towards security have changed and evolved over the last decade. Obviously greater awareness. Has that trickled into the lines of business? Or is it still mostly an IT and a security pro problem? >> I'll let Ikenna answer this. >> So really, for us it's been a journey for the last little while around security. And a couple of things we've had over the past few years is spreading the awareness around security across the business and that's really gained traction where it's no longer just the IT security folks talking to the business about what they need to do for security. But also the business getting back to IT security and trying ones they want to implement, setting up solutions trying to figure out okay, what do we do for security? Can you help assist us with something around risk assessment and really over time that has really helped spread that awareness and also we do a whole lot of things around trying to build a security program through performance assesments, that would be useful to identify gaps. And being able to communicate with the stats to senior management, around getting the necessary buy-in to proceed with whatever initiatives we want to run along with from a security standpoint. You want to add to that? >> I think that's good. >> Yeah, I'm sensing that prior to Splunk it was an uphill battle to get management to invest. Because they probably said, alright we're going to throw money at it, what's the result that we're going to get. As you can present metrics to management, it's easier to justify the investments because they're going to be able to see the outcomes, is that fair? >> Yes, definitely. I think prior to Splunk really we had certain sets of metrics but what Splunk has really helped us do is really consolidate all the log sources we have, get the right information and be able to actually provide a holistic view of our security program to senior management and show them across the different business units where we can get value for investment pointing to security. >> And have you evaluated alternatives, I know those competitors, they've bumped up in the past couple of years, have you evaluated those? Or did you at the time? >> Yeah so in 2009, we looked at a few different vendors and we picked a market leader at the time. There's a couple that we liked more than the market leader but they just didn't scale to our size. Back in those days certain vendors would call it events per second or whatever, we did some analysis and go, they just can't scale. That one back in 2009 is now a market leader. It's pretty good, it looks really interesting and everything as well there's about two or three players out there that I think look great from a SIEM perspective, but if you think of us, where we are at a SIEM is a component, but we actually have a platform. And management's bought into the platform, not only a SIEM, they didn't even know what a SIEM really was, before say 2013. And now they just know that we can provide information when they ask for it. If we don't know, we can get the answer within minutes or maybe hours sometimes depending on the complexity of the query, but we have all the information, we have all the PVR, time machine as you mentioned. It's all sitting there. We brought in most of our data, we got a couple little pieces we're still working on, there's different cloud information we're bringing in or other data enrichment. We can tell for example, an ISP anywhere in the world. We can tell our user visited that ISP. Or that attacker came from that ISP. Let's lock that whole ISP out. We have a lot of interesting capabilities where we don't know if we can do that in those other tools. >> So what's your headache of the future? It sounds like Splunk has done a lot to get you up to speed and get you to a very high comfort level now, looking down the road here, what's the next? >> Quickly start and then I think Ikenna wants to speak to this as well, one of the things that we need to do is we're getting better at detecting and responding. We've really focused a lot on prevention to make sure we can prevent what we can. But it's impossible to basically prevent everything, everybody knows that. You see it in the news. So we're trying to get better at detection and response. One of the shortcomings that we've noticed is that we can't always respond as humans fast enough. So we're trying to automate that, get richer information which Splunk allows us to do, so we call them like high fidelity alerts or high confidence alerts. So if we see that, that should never happen in our environment we'll shut that workstation down, disable that account, or cut off that subnet or something like that so it will all be automated. And then us as a team, will come back after the fact and look at it and go oh, yeah that was good. Or oops we made a mistake, sorry about that. And we'll bring the machine back online. >> Yeah, apologize after. >> After, because they move so quickly, or at least what we're seeing, adversaries move fast. >> How about, you want to add to that? >> I think they key, the way we look at our security program is just being on a journey, because the threat landscape changes like by minutes or days really. There's never a point where we'll say we are done. We are fully okay from a security standpoint, so we constantly look at where we need to evolve. A lot of our techs now are looking at cloud services so we are trying to see how we can show cloud services that we use, pool their log information where we can. And I try to actually enhance what we are currently doing. There's really no silver bullet to solving the issue of security so it's really constantly looking at where we can derive efficiencies to help our program. >> I wanted to ask you about pricing. Are you a Splunk cloud customer? You pay a subscription, you have a perpetual license? >> We did the subscription to term. We're evaluating potentially moving to the cloud. It would be near the end of 2018. We're not sure how we're going to go, maybe we'll just put it in say one of the like AWS or Azure instead of maybe going to the cloud offered because personally we like tweaking and doing a couple things under the hood, so there's a little more change control in cloud. At least at the moment, maybe that will change over time. But we like to be able to quickly onboard data, do all this as fast as we can when we need to. >> And you priced, Splunk charged you by the amount of data? >> You pay by the amount of data. >> Okay, so my follow up is, as the amount of data exponentially, as that data curve growth curve kind of grows, reshapes if you will, are you concerned about just the whole pricing model? Does it have to? >> I'll take that one. So the interesting thing about Splunk it's actually disruptive or disruptor or, it can displace technologies within your environment. So we really try to consolidate things down and take out things that aren't needed. So in certain scenarios, we do a lot of vulnerability scanning and all that, we don't necessarily go buy the top top end product and spend a lot of money on that, we might buy something else or even use open source in the future, who knows. Get the information into Splunk and then use Splunk to do all the analysis. So we're paying like one or two percent of what a typical cost would be and that license itself would pay for Splunk. >> So you're getting asset leverage there. >> Yeah. >> It pays for the data growth. >> As well, we're finding other benefits in the environment using predictive analysis for example, we Splunked all of our storage, and I gave that to my boss and I go here ya go, what do ya think? And you can predict it out a quarter, half a year or a year and he was just ready to buy basically a million dollars of hardware and said geez, I don't need to do that. That's pretty cool. >> So you're using Splunk as a capacity planning tool. >> As well, yeah. We use it for many purposes. >> Very interesting. >> That sounds like a good year end bonus to me there, Kent. (laughter) Gentlemen you both came down from Canada, is that right? >> Yes, we did. >> So my apologies for the unseasonably warm weather here, but we have the lights on which is something you're very familiar with, right at TransAlta. Thanks for the time, interesting conversation glad you both could be here with us today. >> Thanks for having us. >> Alright continuing more our coverage here on The Cube for .conf2017, we'll be live here in Washington D.C. Take a little break, back at 1:30 Eastern time, see you then.

>> Announcer: Live from Washington D. C., it's the CUBE. Covering .conf2017. Brought to you by Splunk. (electronic music) >> Welcome back to the nation's capitol everybody. This is the CUBE, the leader in live tech coverage. And we're here at day two covering Splunk's .conf user conference #splunkconf17, and my name is Dave Vellante, I'm here with with co-host, George Gilbert. As I say, this is day two. We just came off the keynotes. I'm over product orientation today. George, what I'd like to do is summarize the day and the quarter that we've had so far, and then bring you into the conversation and get your opinion on what you heard. You were at the analyst event yesterday. I've been sitting in keynotes. We've been interviewing folks all day long. So let me start, Splunk is all about machine data. They ingest machine data, they analyze machine data for a number of purposes. The two primary use cases that we've heard this week are really IT, what I would call operations management. Understanding the behavior of your systems. What's potentially going wrong, what needs to be remediated. to avoid an outage or remediate an outage. And of course the second major use case that we've heard here is security. Some of the Wall Street guys, I've read some of the work this morning. Particularly Barclays came out with a research note. They had concerns about that, and I really don't know what the concerns are. We're going to talk about it. I presume it's that they're looking for a TAM expansion strategy to support a ten billion dollar valuation, and potentially a much higher valuation. It's worth noting the conference this year is 7,000 attendees, up from 5,000 last year. That's a 40% increase, growing at, or above actually, the pace of revenue growth at Splunk. Pricing remains a concern for some of the users that I've talked to. And I want to talk to you about that. And then of course, there's a lot of product updates that I want to get into. Splunk Enterprise 7.0 which is really Splunk's core analytics platform ITSI which is what I would, their 3.0, which I would call their ITOM platform. UBA which is user behavior analytics 4.0. Updates to Splunk Cloud, which is a service for machine data in the cloud. We've heard about machine learning across the portfolio, really to address alert fatigue. And a new metrics engine called Mstats. And of course we heard today, enterprise content security updates and many several security-oriented solutions throughout the week on fraud detection, ransomware, they've got a deal with Booz Allen Hamilton on Cyber4Sight which is security as a service that involves human intelligence. And a lot of ecosystem partnerships. AWS, DellEMC was on yesterday, Atlassian, Gigamon, et cetera, growing out the ecosystem. That's a quick rundown, George. I want to start with the pricing. I was talking to some users last night before the party. You know, "What do you like about Splunk? "What don't you like about Splunk? "Are you a customer?" I talked to one prospective customer said, "Wow, I've been trying to do "this stuff on my own for years. "I can't wait to get my hands on this." Existing customers, though, only one complaint that I heard was your price is to high, essentially is what they were telling Splunk. Now my feeling on that, and Raymo from Barclays mentioned that in his research note this morning. Raymo Lencho, top securities analyst following software industry. And my feeling George is that historically, "Your price is too high," has never been a headwind for software companies. You look at Oracle, you look at ServiceNow, sometimes customers complain about pricing too high. Splunk, and those companies tend to do very well. What's your take on pricing as a headwind or tailwind indicator? >> Well the way, you always set up these questions in a way that makes answering them easy. Because it's a tailwind in the sense that the deal sizes feed an enterprise sales force. And you need an enterprise sales force ultimately to be pervasive in an organization. 'Cause you can't just throw up like an Amazon-style console and say, "Pick your poison and put it all together." There has to be an advisory, consultative approach to working with a customer to tell them how best to fit their portfolio. >> Right. >> And their architecture. So yes, the price helps you feed that what some people in the last era of enterprise software used to call the most expensive migratory workforce in the world., which is the sales, enterprise sales organization. >> Sure, right. >> But what's happened in the different, in the change from the last major enterprise applications, ERPCRM, and what we're getting into now, is that then the data was all generated and captured by humans. It was keyboard entry. And so there was no, the volumes of data just weren't that great. It was human, essentially business transactions. Now we're capturing data streaming off everything. And you could say Splunk was sort of like the first one out of the gate doing that. And so if you take the new types of data, customer interactions, there are about ten to a hundred customer interactions for every business transaction. Then the information coming out of the IT applications and infrastructure. It's about ten to a hundred times what the customer interactions were. >> Yeah. >> So you can't price the, Your pricing model, if it stays the same will choke you. >> So you're talking about multiple orders of magnitude >> Yes. >> Of more data. >> Yeah. >> And if you're pricing by the terabyte, >> Right. >> Then that's going to cross your customers. >> Right. But here's what I would argue though George. I mean, and you mentioned AWS. AWS is another one where complaints of high pricing. But if, to me, if the company is adding value, the clients will pay for it. And when you get to the point where it becomes a potential headwind, the company, Oracle is a classic at this, will always adjust its pricing to accommodate both its needs as a public organization and a company that has to make money and fund R & D, and the customers needs, and find that balance where the competition can't get in. And so it seems to me, and we heard this from Doug Merritt yesterday, that his challenge is staying ahead of the game. Staying, moving faster than the cloud guys. >> Yeah. >> In what they do well. And to the extent that they do that, I feel like their customers will reward them with their loyalty. And so I feel as though they can adjust their pricing mechanisms. Yeah, everybody's worried about 606, and of course the conversions to subscriptions. I feel as though a high growth, and adjustments to your pricing strategy, I think can address that. What do you think about that? >> It's... It sounds like one of those sayings where, the friends say, "Well it works in practice, "but does it work in theory?" >> No, no. But it has worked in practice in the industry hasn't it? So what's different now? >> Okay. So take Oracle, at list price for Oracle 12C, flagship database. The price per processor core, with all the features thrown in, is something like three hundred thousand, three hundred fifty thousand per core. So you take an average Intel high end server chip, that might have 24 cores, and then you have two sockets, so essentially one node server is 48 times 350. And then of course, Oracle will say, "But for a large customer, we'll knock 90% off that," or something like that. >> Yeah, well exactly. >> Which is exactly what the Splunk guys told me yesterday. But it's-- >> But that's what I'm saying. They'll do what they have to do to maintain the footprint in the customer, do right by the customer, and keep the competition out. >> But if it's multiple orders of magnitude different. If you take the open source guys where essentially the software's free and you're just paying for maintenance. >> (laughs) Yeah and humans. >> Yeah, yeah. >> Okay, that's the other advantage of Splunk, as you pointed out yesterday, they've got a much more integrated set of offerings and services that dramatically lower. I mean, we all know the biggest cost of IT is people. It's not the hardware and software but, all right, I don't want to rat hole on pricing, but that was a good discussion. What did you learn yesterday? You've sat through the analyst meeting. Give us the rundown on George Gilbert's analysis of .conf generally and Splunk as a company specifically. >> Okay, so for me it was a bit of an eye opener because I got to understand sort of, I've always had this feeling about where Splunk fits relative to the open source big data ecosystem. But now I got a sense for what their ambitions are, and what their tactical plan is. I've said for awhile, Splunk's the anti-Hadoop. You know, Hadoop is multiple, sort of dozens of animals with three zookeepers. And I mean literally. >> Yeah. >> And the upside of that is, those individual projects are advancing with a pace of innovation that's just unheard of. The problem is the customer bears the burden of putting it all together. Splunk takes a very different approach which is, they aspire apparently to be just like Hadoop in terms of platform for modern operational analytic applications, but they start much narrower. And it gets to what Ramie's point was in that Wall Street review, where if you take at face value what they're saying, or you've listened just to the keynote, it's like, "Geez, they're in this IT operations ghetto, "in security and that's a La Brea tar pit, "and how are they ever going to climb out of that, "to something really broad?" But what they're doing is, they're not claiming loudly that they're trying to topple the giants and take on the world. They're trying to grow in their corner where they have a defensible moat. And basically the-- >> Let me interrupt you. >> Yeah. >> But to get to five billion >> Yeah. >> Or beyond, they have to have an aggressive TAM expansion strategy, kind of beyond ITOM and security, don't they? >> Right. And so that's where they start generalizing their platform. The data store they had on the platform, the original one, is kind of like a data lake in the sense that it really was sort of the same searchable type index that you would put under a sort of a primitive search engine. They added a new data store this time that handles numbers really well and really fast. That's to support the metrics so they can have richer analytics on the dashboard. Then they'll have other data stores that they add over time. And for each one, you're able to now build with their integrated tool set, more and more advanced apps. >> So you can't use a general purpose data store. You've got to use the Splunk within data. It's kind of like Work Day. >> Yeah, well except that they're adding more over time, and then they're putting their development tools over these to shield them. Now how seamlessly they can shield them remains to be seen. >> Well, but so this is where it gets interesting. >> Yeah. >> Splunk as a platform, as an application development platform on which you can build big data apps, >> Yeah. >> It's certainly, conceptually, you can see how you could use Splunk to do that right? >> And so their approaches out of the box will help you with enterprise security, user, they call it user behavior analytics, because it's a term another research firm put on it, but it's really any abnormal behavior of an entity on the network. So they can go in and not sell this fuzzy concept of a big data platform. They said, they go in and sell, to security operations center, "We make your life much, much easier. "And we make your organization safer." And they call these curated experiences. And the reason this is important is, when Hadoop sells, typically they go in, and they say, "Well, we have this data lake. "which is so much cheaper and a better way "to collect all your data than a data warehouse." These guys go in and then they'll add what more and more of these curated experiences, which is what everyone else would call applications. And then the research Wikibon's done, depth first, or rather breadth first versus depth first. Breadth first gives you the end to end visibility across on prem, across multiple clouds, down to the edge. But then, when they put security apps on it, when they put dev ops or, some future big data analytics apps as their machine learning gets richer and richer, then all of a sudden, they're not selling the platform, because that's a much more time-intensive sale, and lots more of objectives, I'm sorry, objections. >> It's not only the solutions, those depth solutions. >> Yes, and then all of a sudden, the customer wakes up and he's got a dozen of these things, and all of a sudden this is a platform. >> Well, ServiceNow is similar in that it's a platform. And when Fred Luddy first came out with it, it's like, "Here." And everybody said, "Well, what do I do with it?" So he went back and wrote a IT service management app. And they said, "Oh okay, we get it." Splunk in a similar way has these depth apps, and as you say, they're not selling the platform, because they say, "Hey, you want to buy a platform?" people don't want to buy a platform, they want to buy a solution. >> Right. >> Having said that, that platform is intrinsic to their solutions when they deliver it. It's there for them to leverage. So the question is, do they have an application developer kit strategy, if you will. >> Yeah. >> Whether it's low code or even high code. >> Yeah. >> Where, and where they're cultivating a developer community. Is there anything like that going on here at .conf? >> Yeah, they're not making a big deal about the development tools, 'cause that makes it sound more like a platform. >> (laughs) But they could! >> But they could. And the tools, you know, so that you can build a user interface, you can build dashboards, you can build machine learning models. The reason those tools are simpler and more accessible to developers, is because they were designed to fit the pieces underneath, the foundation. Whereas if you look at some of the open source big data ecosystem, they've got these notebooks and other tools where you address one back end this way, another back end that way. It's sort of, you know, you can see how Frankenstein was stitched together, you know? >> Yeah so, I mean to your point, we saw fraud detection, we saw ransomware, we see this partnership with Booz Allen Hamilton on Cyber4Sight. We heard today about project Waytono, which is unified monitoring and troubleshooting. And so they have very specific solutions that they're delivering, that presumably many of them are for pay. And so, and bringing ML across the platform, which now open up a whole ton of opportunities. So the question is, are these incremental, defend the base and then grow the core solutions, or are they radical innovations in your view? >> I think they're trying to stay away from the notion of radical innovation, 'cause then that will create more pushback from organizations. So they started out with a google-search-like product for log analytics. And you can see that as their aspirations grow for a broader set of applications, they add in a richer foundation. There's more machine learning algorithms now. They added that new data store. And when we talked about this with the CEO, Doug Merritt yesterday at the analyst day, he's like, "Yes, you look out three to five years, "and the platform gets more and more broad. "and at some point customers wake up "and they realize they have a new strategic platform." >> Yeah, and platforms do beat products, and even though it's hard sell, if you have a platform like Splunk does, you're in a much better strategic position. All right, we got to wrap. George thanks for joining me for the intro. I know you're headed to New York City for Big Data NYC down there, which is the other coverage that we have this week. So thank you again for coming on. >> Okay. >> All right, keep it right there. We'll be back with our next guest, we're live. This is the CUBE from Splunk .conf2017 in the nation's capitol, be right back. (electronic music)

>> Narrator: Live from Washington D.C. it's The Cube, covering .comf 2017. Brought to you by Splunk. >> Welcome back to the district everybody. We are here at .comf 2017. This is The Cube, the leader in live tech coverage. I'm Dave Vellante with my co-host George Gilbert. Doug Merritt here, the CEO of Splunk. Doug, thanks for stopping by The Cube. >> Thanks for having me here Dave. >> You're welcome! Good job this morning. You are a positive guy, great energy. You got the fun T-shirt, I like big data and I cannot lie. The T-shirts I love, so great. You guys are a fun company. So congratulations. >> Doug: Well thank you. >> How's it feel? >> It feels great. You're surrounded by 7,000 fans that are getting value out of the products that you distribute to them and the energy is just off the charts as you said. It's truly an honor to be able to be surrounded by people that care about your company as much as these people do. >> Well one of the badges of honor that Splunk has at your shows is spontaneous laughter and spontaneous applause. You get a lot of that. And that underscores the nature of your customer base and the passion that they have for you guys so that's a pretty good feeling. >> From the very beginning, from the first code that Erik Swan and Rob Dos pushed out, the whole focus has been on making sure that you please the user. The attendance that they created to drive Splunk still stand today and I think a lot of that spontaneous laughter and applause goes back to if you really pay attention to your customer and you really focus all your energy on making sure they're successful, then life gets a lot easier. >> Well it's interesting to watch the ascendancy of Splunk and when you know, go back to 2010, 2011, everybody was talking about big data, it was the next big thing, Splunk never really hopped on that meme from a narrative standpoint. But now you kind of are big data. You kind of need big data platforms to analyze all this data. Talk about that shift. >> I still don't think that we are the lead flag waver on big data. And I think so much of that goes back to our belief on how do you serve customers? Customers have problems and you've got to create a solution to solve that problem for them. Increasingly in these days, those problems can be solved in a much more effective way with big data. But big data is the after effect. It's not the lead of the story, it's the substantiation of the story. So what I think Splunk has done uniquely well is, whether it's our origins in IT operations and systems administration or our foray into security operations centers and analytics and security analyst support. As we started with what is the problem that we're trying to solve. And then because we're so good at dealing with big data, obviously we're going to take a unstructured data, big data approach to that problem. >> So about two years in, you were telling us off camera about the story of Splunk has a tendency to be a little ADD. You came in, helped a little prioritization exercise, but what have you learned in two years. >> Ah, infinite. You have to have an hour for that. I think part of the ADD is because the platform is so powerful, it can solve almost any problem. And what we need to do to help our customers is listen to them and figure out what are the repeat problems so that we can actually scale and bring it to lots of different people. And that's been part of that focus problem or focus opportunity we have, is if you can solve just about anything, how do you help your customers understand what they should do first, second and third. I think that's part of the dilemma we see in the big data space, is people started with I want to just amass all the data. And I think that was a leftover to where big data, George and I were talking about this, where those big data platforms started from. If I'm Yahoo, if I'm Google, if I'm LinkedIn, if I'm Facebook, the guys that originated MapReduce and the whole Hadoop ecosystem, my job is data. Literally, that's all I have, that's all I monetize and drive. So I both have the motivation and the technical engineering knowhow to just put every bit of data I possibly can somewhere for later retrieval. But even those organizations have a hard time really optimizing that data. So if the average or ar-din-e-ah start in a different spot. It's not just put everything somewhere that I can later retrieve it, it's what problem are you trying to solve, what data do I need to solve that problem and then how do I use it, how do I bring it into something and then visualize it so that I get immediate payback and return and that's, I think you guys talked to Mike Odi-son on the show, he was in my keynote, that's a lot of the magic he brought to Get-lick and to Dubai Upworks is, let's just start with can we get people through security in five minutes or less? What data do we need? And then you can move on to the next problem and the next problem. But I think it's a more practical and more effective way of looking at big data is through a customer solution lens. >> Dave: Yeah great story Dubai Upwork. Go ahead George. >> When you look at the customer adjacencies, are you looking at what is the most relevant next batch of data relative to what I've accumulated for the first problem? Or is it an analytic solution that addresses a similar end customer, similar department? How do you find those adjacencies and attack them? >> So the good news and the beauty of Splunk is it's not difficult to get data into the platform. When you do the surveys on data scientists and I think Richard talked about this in his keynote, they all unanimously come back and say, "We spend 60 to 80% "of our time just trying to wrangle data." Well that's not super hard for them. How do you get data in quickly? So we've always been effective at getting massive amounts of data because of the way that we architect the system in. The challenge for us is how do you marry domain expertise and the different algorithms, queries or usage the data so you get that specific solution to a problem? So we've built up a whole practice of looking at the data sources that are in. What do we know from our customer base that says here are the top end use cases that have been able to take advantage of those data sources for these outcomes. And that's how we try to work with customers to say, "Alright you've already brought server logs, "firewall logs and API streams from these four "A to B odd services into Splunk. "I've already got this benefit. "What are the next two things you can do "with that data to get additional benefit?" >> So in a sense, you've got a template for mapping out a customer journey that says, "Here are the next steps." It's like a field guide to move them along in maturity. >> Dave: And you can codify that? >> That's been the hard part is both creating the open source contribution framework, for lack of a better word, what are all these different uses? But the final mile or final inch that most of these customers are trying to drive to is different for every single customer. And that's again, part of what the challenge is with AINML and what we were highlighting on stage this morning. There's two different dimensions, three different dimensions you're dealing with simultaneously. One is what data sets are you bringing together? And as you add different data it radically changes the outcome. What algorithms are you driving? And as you tweak an al-go, even on the same data, it radically changes the outcome. And then what functional lens are you putting in place? And so if you want to solve baggage handling at the airport like one of Michael Epperson's guys, you need some rich aviation and logistics experience to actually understand that to mean how do you bring that to main set together with the actual data that the algorithms and the data sets you get that rapid piece. And so creating enough of those so they're easily digestible and easily actionable by our customers, that is the horizon that we're trying to pierce through. >> And that leads to an ecosystem question, does it not? >> Doug: It does. >> Is that the answer or part of the answer for that mile or last inch that micro vertical. >> That's a huge chunk of the answer. Because you just go back to I need that domain expertise. And pharmaceutical drug exploration expertise is different than general healthcare medical expertise. If you're not able to bring that practical experience with the ability to easily wrangle data and some data scientists that can write these really interesting and effective ML routines, then it's difficult to get that value. >> So I know you'll jump in here in a second, so what are you guys doing explicitly on that front? Where does that fall in the priority list? Is it percolating? >> So many points made Splunk unique from the very beginning. A whole host of things. But one is we made it accessible for an average person to get data in, to store data and to extract value. A lot of the technologies that are out there, you can cobble together and eventually get to Splunk but it's really long, painful and difficult. If you take that same orientation around this now over-hyped MLAI world, it's the same thing, how do you raise the bar so that an average person on an average day with domain expertise and some understanding of data can find ways to get value back out. So I think there's certainly a technology problem because you've got to be able to do it at scale, at speed with integrity. But I think it's almost as much or maybe more of a user interface, an approachability problem 'cause there's just not enough data scientists and data experts that are also computer science experts to go around and solve this problem for the world. >> So it sounds like there's two approaches. There's the customer specific last mile and then what you were talking about earlier, sort of in the keynote and the (mumbles) breakout, which is try and find the horizontal use cases that you can bake into what Richard called curated experiences, which is really ML models that need minimal, light touch from the customer. >> Doug: Yes. >> So help us understand how those can build out with the customer last mile and then the customer wakes up with a platform. >> We have over 1,500 solutions as part of Splunk base which really are those mini curated experiences. From my Palo Alto environment, a combination of Palo Alto, us and third parties created Palo Alto Solution that is able to read data in from the different Palo Alto technologies and provide Dash, Borge, Alert, Remediations how to really assist the Palo Alto team doing their job more effectively. So there's over 1,500 of those in Splunk base. What Rick and the IT operations and App Dev arena and high end security arena are responsible for is how do we continue to gen up the ecosystem so we get more and more of those experiences? How can we extend from Palo Alto firewalls to overall network and perimeter visibility? Which is a combination now of breeding in Palo Alto firewall logs plus the other firewall technologies they likely have, plus network data, plus endpoint data so we can get visibility. And that almost always is a hyper heterogeneous environment, especially when you start to drive the applications (mumbles), maybe some in GCP, maybe some in Azure. They all have different formats. They've got different virtualization technologies that represent all those different on prime renditions. So I think that the world continues to get more complex. And the more that we can help the community, corral the community into here are buying centers and here are pinpoints, use the technology to finish and deliver that curated experience, the easier it is and the better it is for our customers. >> Doug I know you're super busy and you got to go, so last question. We've seen Splunk go from startup, pre IPO, successful IPO, couple bumps along the way. Now you guys are over a billion dollars. I feel like there's much more to come. The ecosystem is growing, the adoption is really, really solid. The richness of the platform continues to grow. Where do you see it going from here? >> I really do believe in my heart, my deepest heart, that this is the next five, ten, 20 billion dollar organization out there. And it's less the money than the representation of what that means. Reaching millions to tens of millions to hundreds of millions of people with these curated experiences, with these solutions within sights across hundreds of thousands to potentially millions of different entities out there, organizations, whether it's non-profit, governmental, commercial. We are, Mark Endreessen is famous for saying, "The world is becoming a software world." I agree. I take it one step further. I think the world is becoming a data driven and a data inside world. Software is key to that but you implement software so you can get insights and be intelligent and sense and respond and continue to iterate and grow. And I believe that Splunk is the best position company and technology on the planet right now to lean in and make this practical and approachable for the millions of end users and the hundreds of thousands of organizations that need that capability. >> So much more to talk about with Doug Merritt. Thanks so much for coming brother. >> Thank you. >> Really a pleasure having you. >> Thank you George. >> Alright keep it right there everybody, we'll be back with our next guest. This is #splunkconf17, check that out. Check out #cubegems. This is The Cube. We're live, right back from the D.C. Bye bye. (electronic pulse music)

(upbeat electronic music) >> Narrator: Live from Washington, D.C., it's theCUBE. Covering .conf2017. Brought to you by Splunk. >> Welcome back to the nation's capital, everybody. This is theCUBE, the leader in live tech coverage, and we're here at .conf2017. Splunk's customer event. This is the seventh year that we're covering .conf with theCUBE here in the nation's capital, in the district. I'm Dave Vellante with George Gilbert. For the wrap of day one, we'll be here for two days. George, good day overall. At Splunk, the Splunk ecosystem continues to grow. Splunk evolves as a company. We're talking about a company. We didn't really have time this morning to run this down, but it's about a 1.2 billion dollar company, growing at about 30% a year. It's got a 10 billion dollar market cap, thanks in some part to the Symantec CEO, who'd found that, hey, Splunk might be a good acquisition target. And the stock shot up there for a little bit. Fifteen thousand customers. They've got a billion dollars in cash. Zero debt. So, nice balance sheet. Good growth. Small, but meaningful positive free-cash flow. So, from a financial perspective, this Splunk's looking pretty good right now. New CEO. They had some bumps in the road in the past. Some kind of, you know, guidance issues. But all seems to be pretty good right now. From your financial analyst, put your financial analyst hat on for a second. How's the company look to you? >> I actually think the numbers look better than the, sort of, high level optics, because it's mostly subscription revenue. And, so, you're rather than get, say, one hundred dollars up front from a perpetual license, they're getting, say, 20 to 25 dollars over a period of, you know, x-many years. So that actually depresses your operating margins. >> Dave: Sure >> And so their revenue impact, and their profitability, is better than it looks. >> Dave: Am I mistaken, I thought the vast majority of their revenue was still perpetual license, right? >> George: I think they've been converting to where you pay on the throughput. How much data you ingest per day. And I think that that's, you don't pay for it all up front. >> So they're migrating to a rateable model. >> George: Yeah. >> Which is, often times, crushes companies, but they seem to be managing through that. So, anyway, that's one thing that I wanted to talk about a little bit. Some of the themes that you and I talked about this morning. There were six that you and I kind of laid out. The expansion of the total available market. Really, from a monitoring, log data, into more of an application platform. Part of that is the shift from sim, from a security standpoint, into more analytic oriented >> George: Yeah. >> activities. >> The second one was the whole cloud and hybrid cloud play. Another theme we looked at was admin and dev complexity, and Splunk's recipe for simplifying that. Machine learning. Where does that fit in? Obviously, with some of their ITOM stuff they're trying to be more proactive and anticipatory. Breadth or depth. Meaning, do they go deep within sort of an application silo. Or use case. Or do they sort of more broadly based platform. And then, the last one, number six, is sort of IoT at edge processing. George, that's not something that we were able to spend much time on this morning, or any time. So, I'd like to start there. Everyone talks about IoT. We all know that, at least in concept, all this data is going to be generated. A lot of it is stateless. We talked about that on the wikibon research meeting a couple weeks ago. With serverless. Question. Where does Splunk fit in IoT. If the strategy is to, sort of, send it all back to the cloud, is that a viable approach? And is that their strategy? >> It's not their strategy, it's what their architecture allows today. But they know that doesn't work because in a world of sort of, industrial assets, and, sort of, consumer devices, you're producing so many more devices per year and so many more data elements per device, per time period, that the amount of data is exploding, exponentially. You cannot, for latency and bandwidth reasons, send that all to the cloud, to get an answer and then send it back. So, part of what's happening, and part of what Splunk is building, is the ability to capture that data. Perform low latency analytics, drive an answer to a local device, and then, what they do is, what other IoT platforms do, send up the interesting data. The stuff that doesn't fit. The stuff that you want to make sense out of, where you have to rethink your model. Your predictive model. And then that sort of research and refinement happens in the cloud. And when you think you have a good new model, you push it back out to the edge. This is, again, all theoretical. They haven't talked about it yet other than directionally. But, it's worth saying, as our distinguished CTO reminds us, that something David Floyer, 95% perhaps of the data and analytics, will happen, really the data processing will happen at the edge. More interesting, though, is the division of labor up in the cloud. It's not just retraining a model but we'll have very rich simulations. So, rather than just saying, training a self driving car to, you know, in the snow, to avoid sunlight that obscures it's view of the hazards in the road, you actually might have a simulation where you go through a whole bunch of different essentially, edge conditions >> Dave: Mmm-hmm. >> So the models get very, very rich. And then, those get pushed down to the edge for local processing. >> David: End-end learning is iterative >> George: Yes, yes. >> And that continues >> George: Yes. >> And, OK, so that's cool. That sort of leads to the discussion of cloud and hybrid cloud. We heard even from AWS that much of the processing and analysis can occur on-prem and their model. It's not something that just has to get done in the AWS cloud. Interesting to hear AWS acknowledge that. Whereas, five, six years ago, their dogma was everything goes into the cloud. So they're learning and evolving along with their partners. But what about Splunk's cloud play. Years ago, they announced, you know, cloud offering. We talked earlier much more of their revenue coming from routable models. I think 50% of their new business is cloud only. >> Mmm-hmm. >> Which makes sense. A lot of data analysis is going on in the cloud. What's your sense of their cloud strategy? Is it working? Are you sanguine toward their approach? >> So, we've had, since the dawn of the Pleistocene era in computing we've had multiple platforms. And there has always been a desire to have a common development and runtime environment across different platforms. So that developers are not locked in, or so that they can have a common platform for building apps across platforms >> David: Mmm-hmm. >> And for running them. The same, so like that you had, part of Cisco's success and Oracle's success was that you had the same admin experience no matter what you were running on. >> Dave: So, Linux, obviously. >> Yes >> Dave: Addressed what UNIX never could. >> Yes, yes >> Was the promise of UNIX. Obviously some of Microsoft's ascendancy was given that, you know, binary compatibility with Windows. >> George: Yes. >> OK, so, will we achieve that with cloud. It looks like we're further away from that than ever. >> George: There's choices here. Where, with Splunk, they will have this self contained environment that can run on many platforms. They're run on-prem. They'll have some subset that runs on the edge. They'll have something that runs compatably on Azure and Amazon and Google. But, once they're on the cloud they're these really powerful centrifugal forces that are pulling apart the compatibility of that singular platform. Because you'll have very specialized services. For instance, if you're doing IoT with Amazon, you have the kinesis firehose service, that's pumping data into Splunk or into S3 where other services might be operating on it. Whereas, with Azure you might have different edge services pumping data into could be Splunk, could be Splunk plus other services. For instance, Splunk doesn't have really strong scale-out SQL database. Where you might want to do some advanced analytics as part of your predictions. >> Dave: OK, so I could leverage DynamoDB as an example, or something like that. >> Yes. Yeah. >> Dave: OK. >> Or Redshift on Amazon. Or snowflake as cross platform. That sort of thing. >> Dave: OK, good. Are you here? You're here tomorrow? Yes? >> Yeah. >> At least in the morning? >> Yeah >> OK, homework assignment tonight. Were you participating in the analyst event today? >> Yeah >> OK, so you've got some other inside >> Yeah >> So bring all the NDA stuff. Tonight, like I say, homework assignment, try to distill that down. Would love to have you back if you have the time at the open tomorrow. >> If I have the time. Dave, I flew across the country to sit next to you. >> That's awesome. >> Ha ha ha. >> Great. Alright. Good. So boil it down for us. Tomorrow, why don't you come on and take us through what you learned yesterday Maybe some of the product announcements. And give us your the George Gilbert, kind of, wikibon view of the future for Splunk and this industry, OK? >> OK >> Alright, great. Thank you George for helping me wrap. That is a wrap of day one today. This is theCUBE. We're live all day tomorrow. Watch the replays at siliconangle.tv. Check out siliconangle.com for all the news. Check out wikibon.com for all the research. And go to Twitter. The hashtag of this event is #splunkconf17 and also checkout hashtag #cubegems and you'll see the snippits of today's show. This is theCUBE. The leader in live tech coverage. We're out day one. From the District. See you tomorrow. (upbeat electronic music)