(upbeat music) >> Hello everyone, welcome back to theCUBE's coverage of splunk.com 2021 virtual. We're here live in the Splunk studios. We're all here gettin all the action, all the stories. Garth Fort, senior vice president, Chief Product Officer at Splunk is here with me. CUBE alumni. Great to see you. Last time I saw you, we were at AWS now here at Splunk. Congratulations on the new role. >> Thank you. Great to see you again. >> Great keynote and great team. Congratulations. >> Thank you. Thank you. It's a lot of fun. >> So let's get into the keynote a little bit on the product. You're the Chief Product Officer. We interviewed Shawn Bice, who's also working with you as well. He's your boss. Talk about the, the next level, cause you're seeing some new enhancements. Let's get to the news first. Talk about the new enhancements. >> Yeah, this was actually a really fun keynote for me. So I think there was a lot of great stuff that came out of the rest of it. But I had the honor to actually showcase a lot of the product innovation, you know, since we did .conf last year, we've actually closed four different acquisitions. We shipped 43 major releases and we've done hundreds of small enhancements, like we're shipping code in the cloud every six weeks and we're shipping new versions twice a year for our Splunk Enterprise customers. And so this was kind of like if you've seen that movie Sophie's Choice, you know, where you have to pick one of your children, like this was a really hard, hard thing to pick. Cause we only had about 25 minutes, but we did like four demos that I think landed really well. The first was what we call ingest actions and you know, there's customers that are using, they start small with gigabytes and they go to terabytes and up to petabytes of data per day. And so they wanted tools that allow them to kind of modify filter and then route data to different sort of parts of their infrastructure. So that was the first demo. We did another demo on our, our visual playbook editor for SOAR, which has improved quite a bit. You know, a lot of the analysts that are in the, in the, in the SOC trying to figure out how to automate responses and reduce sort of time to resolution, like they're not Python experts. And so having a visual playbook editor that lets them drag and drop and sort of with a few simple gestures create complex playbooks was pretty cool. We showed some new capabilities in our APM tool. Last year, we announced we acquired a company called Plumbr, which has expertise in basically like code level analysis and, and we're calling it "Always On" profiling. So we, we did that demo and gosh, we did one more, four, but four total demos. I think, you know, people were really happy to see, you know, the thing that we really tried to do was ground all of our sort of like tech talk and stuff that was like real and today, like this is not some futuristic vision. I mean, Shawn did lay out some, some great visions, visionary kind of pillars. But, what we showed in the keynote was I it's all shipping code. >> I mean, there's plenty of head room in this market when it comes to data as value and data in motion, all these things. But we were talking before you came on camera earlier in the morning about actually how good Splunk product and broad and deep the product portfolio as well. >> Garth: Yeah. >> I mean, it's, I mean, it's not a utility and a tooling, it's a platform with tools and utilities. >> Garth: Yeah >> It's a fully blown out platform. >> Yeah. Yeah. It is a platform and, and, you know, it's, it's one that's quite interesting. I've had the pleasure to meet a couple of big customers and it's kind of amazing, like what they do with Splunk. Like I was meeting with a large telco on the east coast and you know, they actually, for their set top boxes, they actually have to figure out in real time, which ads to display and the only tool they could find to process 15 million events in real time, to decide what ad to display, was Splunk. So that was, that was like really cool to hear. Like we never set out to be like an ad tech kind of platform and yet we're the only tool that operates at that level of scale and that kind of data. >> You know, it's funny, Doug Merritt mentioned this in my interview with him earlier today about, you know, and he wasn't shy about it, which was great. He was like, we're an enabling platform. We don't have to be experts in all these vertical industries >> Garth: Yep >> because AI takes care of that. That's where the machine learning >> Garth: Yeah >> and the applications get built. So others are trying to build fully vertically integrated stacks into these verticals when in reality they don't have to, if they don't want it. >> Yeah, and Splunk's kind of, it's quite interesting when you look across our top 100 customers, you know, Doug talks about like the, you know, 92 of the fortune 100 are kind of using Splunk today, but the diversity across industries and, you know, we have government agencies, we have, you know, you name the retail or the vertical, you know, we've got really big customers, they're using Splunk. And the other thing that I kind of, I was excited about, we announced the last demo I forgot was TruSTAR integration with Enterprise Security. That's pretty cool. We're calling that Splunk Threat Intelligence. And so That was really fun and we only acquired, we closed the acquisition to TruSTAR in May, but the good news is they've been a partner with us like for 18 months before we actually bought em. And so they'd already done a lot of the work to integrate. And so they had a running start in that regard, But other, one other one that was kind of a, it was a small thing. I didn't get to demo it, but we talked about the, the content pack for application performance monitoring. And so, you know, in some ways we compete in the APM level, but in many ways there's a ton of great APM vendors out there that customers are using. But what they wanted us to do was like, hey, if I'm using APM for that one app, I still want to get data out of that and into Splunk because Splunk ends up being like the core repository for observability, security, IT ops, Dev Sec Ops, et cetera. It's kind of like where the truth, the operational truth of how your systems works, lives in Splunk. >> It's so funny. The Splunk business model has actually been replicated. They call it data lake, whatever you want to call it. People are bringing up all these different metaphors. But at the end of the day, if you guys can create a value proposition where you can have data just be, you know, stored and dumped and dumped into whatever they call it stored in a way >> Garth: We call it ingest >> Ingested, ingested. >> Garth: Not dumped. >> Data dump. >> Garth: It's ingested. >> Well, I mean, well you given me a plan, but you don't have to do a lot of work to store just, okay, we can only get to it later, >> Garth: Yep. >> But let the machines take over >> Garth: Yep. >> With the machine learning. I totally get that. Now, as a pro, as a product leader, I have to ask you your, your mindset around optimization. What do you optimize for? Because a lot of times these use cases are emerging. They just pop out of nowhere. It's a net new use case that you want to operationalize. So balancing the headroom >> Yep. >> Or not to foreclose those new opportunities for customers. How are customers deciding what's important to them? How do you, because you're trying to read the tea leaves for the future >> Garth: A little bit, yeah. >> and then go, okay, what do our customers need, but you don't want to foreclose anything. How do you think about product strategy around that? >> There's a ton of opportunity to interact with customers. We have this thing called the Customer Advisory Board. We run, I think, four of them and we run a monthly. And so we got an opportunity to kind of get that anecdotal data and the direct contact. We also have a portal called ideas.splunk.com where customers can come tell us what they want us to build next. And we look at that every month, you know, and there's no way that we could ever build everything that they're asking us to, but we look at that monthly and we use it in sort of our sprint planning to decide where we're going to prioritize engineering resources. And it's just, it's kind of like customers say the darndest things, right? Sometimes they ask us for stuff and we never imagined building it in a million years, >> John: Yeah. >> Like that use case around ads on the set top box, but it's, it's kind of a fun place to be like, we, we just, before this event, we kind of laid out internally what, you know, Shawn and I kind of put together this doc, actually Shawn wrote the bulk of it, but it was about sort of what do we think? Where, where can we take Splunk to the next three to five years? And we talked about these, we referred to them as waves of innovation. Cause you know, like when you think about waves, there's multiple waves that are heading towards the beach >> John: Yeah. >> in parallel, right? It's not like a series of phases that are going to be serialized. It's about making a set of investments. that'll kind of land over time. And, and the first wave is really about, you know, what I would say is sort of, you know, really delivering on the promise of Splunk and some of that's around integration, single sign-on things about like making all of the Splunk Splunk products work together more easily. We've talked a lot in the Q and a about like edge and hybrid. And that's really where our customers are. If you watch the Koby Avital's sort of customer keynote, you know, Walmart by necessity, given their geographic breadth and the customers they serve has to have their own infrastructure. They use Google, they use Azure and they have this abstraction layer that Koby's team has built on top. And they use Splunk to manage kind of, operate basically all of their infrastructure across those three clouds. So that's the hybrid edge scenario. We were thinking a lot about, you mentioned data lakes. You know, if you go back to 2002, when Splunk was founded, you know, the thing we were trying to do is help people make sense of log files. But now if you talk to customers that are moving to cloud, everybody's building a data lake and there's like billions of objects flowing into millions of these S3 buckets all over the place. And we're kind of trying to think about, hey, is there an opportunity for us to point our indexing and analytics capability against structured and unstructured data and those data lakes. So that that'll be something we're going to >> Yeah. >> at least start prototyping pretty soon. And then lastly, machine learning, you know, I'd say, you know, to use a baseball metaphor, like in terms of like how we apply machine learning, we're like in the bottom of the second inning, >> Yeah. >> you know, we've been doing it for a number of years, but there's so much more. >> There's so, I mean, machine learning is only as good as the data you put into the machine learning. >> Exactly, exactly. >> And so if you have, if you have gap in the data, the machine learning is going to have gaps in it. >> Yeah. And we have, we announced a feature today called auto detect. And I won't go into the gory details, but effectively what it does is it runs a real-time analytics job over whatever metrics you want to look at and you can do what I would consider more statistics versus machine learning. You can say, hey, if in a 10 minute period, like, you know, we see more errors than we see on average over the last week, throw an alert so I can go investigate and take a look. Imagine if you didn't have to figure out what the right thresholds were, if we could just watch those metrics for you and automatically understand the seasonality, the timing, is it a weekly thing? Is it a monthly thing? And then like tell you like use machine learning to do the anomaly detection, but do it in a way that's more intelligent than just the static threshold. >> Yeah. >> And so I think you'll see things like auto detect, which we announced this week will evolve to take advantage of machine learning kind of under the covers, if you will. >> Yeah. It was interesting with cloud scale and the data velocity, automations become super important. >> Oh yeah. >> You don't have a lot of new disciplines emerge, like explainable AI is hot right now. So you got, the puck is coming. You can see where the puck is going. >> Yeah >> And that is automation at the app edge or the application layer where the data has got to be free-flowing or addressable. >> Garth: Yeah. >> This is something that is being talked about. And we talked about data divide with, with Chris earlier about the policy side of things. And now data is part of everything. It's part of the apps. >> Garth: Yeah. >> It's not just stored stuff. So it's always in flight. It should be addressable. This is what people want. What do you think about all of that? >> No, I think it's great. I actually just can I, I'll quote from Steve Schmidt in, in sort of the keynote, he said, look like security at the end of the day is a human problem, but it kind of manifests itself through data. And so being able to understand what's happening in the data will tell you, like, is there a bad actor, like wreaking havoc inside of my systems? And like, you can use that, the data trail if you will, of the bad actor to chase them down and sort of isolate em. >> The digital footprints, if you will, looking at a trail. >> Yeah. >> All right, what's the coolest thing that you like right now, when you look at the treasure trove of, of a value, as you look at it, and this is a range of value, Splunk, Splunk has had customers come in with, with the early product, but they keep the customers and they always do new things and they operationalize it >> Garth: Yep. >> and another new thing comes, they operationalize it. What's the next new thing that's coming, that's the next big thing. >> Dude that is like asking me which one of my daughters do I love the most, like that is so unfair. (laughing) I'm not going to answer that one. Next question please. >> Okay. All right. Okay. What's your goals for the next year or two? >> Yeah, so I just kind of finished roughly my first 100 days and it's been great to, you know, I had a whole plan, 30, 60, 90, and I had a bunch of stuff I wanted to do. Like I'm really hoping, sort of, we get past this current kind of COVID scare and we get to back to normal. Cause I'm really looking forward to getting back on the road and sort of meeting with customers, you know, you can meet over Zoom and that's great, but what I've learned over time, you know, I used to go, I'd fly to Wichita, Kansas and actually go sit down with the operators like at their desk and watch how they use my tools. And that actually teaches you. Like you, you come up with things when you see, you know, your product in the hands of your customer, that you don't get from like a CAB meeting or from a Zoom call, you know? >> John: Yeah, yeah. >> And so being able to visit customers where they live, where they work and kind of like understand what we can do to make their lives better. Like that's going to, I'm actually really excited to gettin back to travel. >> If you could give advice to CTO, CISO, or CIO or a practitioner out there who are, who is who's sitting at their virtual desk or their physical desk thinking, okay, the pandemic, were coming through the pandemic. I want to come out with a growth strategy, with a plan that's going to be expansive, not restrictive. The pandemic has shown what's what works, what doesn't work. >> Garth: Sure. >> So it's going to be some projects that might not get renewed, but there's doubling down on, certainly with cloud scale. What would advice would you give that person when they start thinking about, okay, I got to get my architecture right. >> Yeah. >> I got to get my playbooks in place. I got to get my people aligned. >> Yeah >> What's what do you see as a best practice for kind of the mindset to actual implementation of data, managing the data? >> Yeah, and again, I'm, I'm, this is not an original Garth thought. It actually came from one of our customers. You know, the, I think we all, like you think back to March and April of 2020 as this thing was really getting real. Everybody moved as fast as they could to either scale up or scale scaled on operations. If you were in travel and hospitality, you know, that was, you know, you had to figure how to scale down quickly and like what you could shut down safely. If you were like in the food delivery business, you had to figure out how you could scale up, like Chipotle hit two, what is it? $2 billion run rate on delivery last year. And so people scrambled as fast as they could to sort of adapt to this new world. And I think we're all coming to the realization that as we sort of exit and get back to some sense of new normal, there's a lot of what we're doing today that's going to persist. Like, I think we're going to have like flexible rules. I don't think everybody's going to want to come back into the office. And so I think, I think the thing to do is you think about returning to whatever this new normal looks like is like, what did we learn that was good. And like the pandemic had a silver lining for folks in many ways. And it sucked for a lot. I'm not saying it was a good thing, but you know, there were things that we did to adapt that I think actually made like the workplace, like stronger and better. And, and sort of. >> It showed that data's important, internet is important. Didn't break, the internet didn't break. >> Garth: Correct. >> Zoom was amazing. And the teleconferencing with other tools. >> But that's kind of, just to sort of like, what did you learn over the last 18 months that you're going to take for it into the next 18 years? You know what I mean? Cause there was a lot of good and I think people were creative and they figured out like how to adapt super quickly and take the best of the pandemic and turn it into like a better place to work. >> Hybrid, hybrid events, hybrid workforce, hybrid workflows. What's what's your vision on Splunk as a tier one enterprise? Because a lot of the news that I'm seeing that's, that's the tell sign to me in terms of this next growth wave is big SI deals, Accenture and others are yours working with and you still got the other Partnerverse going. You have the ecosystems emerging. >> Garth: Yep. >> That's a good, that means your product's enabling people to make money. >> Garth: Yeah. Yeah, yeah, yeah. >> And that's a good thing. >> Yeah, BlueVoyant was a great example in the keynote yesterday and they, you know, they've really, they've kind of figured out how, you know, most of their customers, they serve customers in heavily regulated industries kind of, and you know, those customers actually want their data in a Splunk tenant that they own and control and they want to have that secure boundary around that. But BlueVoyant's figured out how they can come in and say, hey, I'm going to take care of the heavy lifting of the day-to-day operations, the monitoring of that environment with the security. So, so BlueVoyant has done a great job sort of pivoting and figuring out how they can add value to customers and do, you know, because they they're managing not just one Splunk instance, but they're managing 100s of Splunk cloud instances. And so they've got best practices and automation that they can play across their entire client base. And I think you're going to see a lot more of that. And, and Teresa's just, Teresa is just, she loves Partners, absolutely loves Partners. And that was just obvious. You could, you could hear it in her voice. You could see it in her body language, you know, when she talked about Partnerverse. So I think you'll see us start to really get a lot more serious. Cause as big as Splunk is like our pro serve and support teams are not going to scale for the next 10,000, 100,000 Splunk customers. And we really need to like really think about how we use Partners. >> There's a real growth wave. And I, and I love the multiples wave in parallel because I think that's what everyone's consensus on. So I have to ask you as a final question, what's your takeaway? Obviously, there's been a virtual studio here where all the Splunk executives and, and, and customers and partners are here. TheCUBE's here doing all the presentations, live by the way. It was awesome. What would you say the takeaway is for this .conf, for the people watching and consuming all the content online? A lot of asynchronous consumption would be happening. >> Sure. >> What's your takeaway from this year's Splunk .conf? >> You know, I, it's hard cause you know, you get so close to it and we've rehearsed this thing so many times, you know, the feedback that I got and if you look at Twitter and you look at my Slack and everything else, like this felt like a conf that was like kind of like a really genuine, almost like a Splunk two dot O. But it's sort of true to the roots of what Splunk was true to the product reality. I mean, you know, I was really careful with my team and to avoid any whiff of vaporware, like what were, what we wanted to show was like, look, this is Splunk, we're acquiring companies, you know, 43 major releases, you know, 100s of small ones. Like we're continuing to innovate on your behalf as fast as we can. And hopefully this is the last virtual conf. But even when we go back, like there was so much good about the way we did this this week, that, you know, when we, when we broke yesterday on the keynote and we were sitting around with the crew and it kind of looking at that stage and everything, we were like, wow, there is a lot of this that we want to bring to an in-person event as well. Cause so for those that want to travel and come sit in the room with us, we're super excited to do that as soon as we can. But, but then, you know, there may be 25, 50, 100,000 that don't want to travel, but can access us via this virtual event. >> It's like a time. It's a moment in time that becomes a timeless moment. That could be, >> Wow, did you make that up right now? >> that could be an NFT. >> Yeah >> We can make a global cryptocurrency. Garth, great to see you. Of course I made it up right then. So, great to see you. >> Air bump, air bump? Okay, good. >> Okay. Garth Fort, senior vice president, Chief Product Officer. In theCUBE here, we're live on site at Splunk Studio for the .conf virtual event. I'm John Furrier. Thanks for watching. >> All right. Thank you guys. (upbeat music)

>> Narrator: From theCUBE Studios in Palo Alto and Boston, it's theCUBE, covering IBM Think, brought to you by IBM. >> Hi everybody. Welcome back to theCUBE's continuous coverage of IBM Think 2020, the digital version of IBM Think. Wendi Whitmore is here. She's the vice president of IBM X-Force Threat Intelligence. Wendy, thanks for coming on. >> Thanks for having me. I'm excited to be here. >> Yeah, you're welcome. With a name like X-Force. That is a killer name. Tell us about X-Force. How are you protecting us? >> Yeah, we get a lot of interesting questions. So, my team is responsible for a pretty wide range of things. They range from incident response. So, when you think of data breaches, typically organizations will call an outside firm, and they'll jump on a plane and respond to threats on-site. Obviously right now, we're jumping on a bit fewer planes, but we still are helping our customers investigate data breaches, and we are on-site when needed. We also have a team of threat intelligence analysts and researchers, who are experts in a wide range of fields from geopolitical issues to cyber-related issues to industry specific. And then we've also got a team that does data breach simulations in a very immersive environment. We've got facilities at Cambridge Massachusetts, as well as within Europe, and now of course, we're bringing all those virtual as well. So, really anything that helps our clients respond more effectively to a data breach is something that we do. >> So, X-Force is traveling right now on empty planes, I presume. >> We are as needed. So, many clients have certainly shifted to where their whole environments are off-site and working remote as well, but we still have clients who are asking us to work on-site, and in those cases we have added a new protective gear to our go-backs, which are usually equipped with hard drives and disc imaging software and passports, and now we have some additional equipment to bring as well. >> And that breach simulation that you talked about. So that's what, like a penetration test, or in similar type of activities? >> Yeah, great question. No, it's actually an immersive environment where we go in, and actually simulate an entire breach for our clients. So, everything from the initial attack, how they would do the data analytics, to things like, how do they respond to the press, and inquiries from the press about the breach, how do they do media training, how they work with their legal counsel. So, it's really a comprehensive immersive environment that simulates kind of the heart pounding that occurs when you actually respond to a data breach. >> Oh, that's awesome, so that mean best practices in communications as well and the PR. I mean, that is obviously, maybe something that's often overlooked, but something that you guys are applying best practice to. >> Wendi: It's such a huge piece of it now, right? Our organizations are not always graded just on the breach itself, but more so on how they respond and how they communicate. The good news is, in that scenario that you can communicate effectively about a breach, and you can have something pretty negative that happens to your organization, but if you respond well, and you communicate really effectively to your clients and to the public, we've seen time and again that those brands actually have no reputational damage, and if anything, their clients trust them even more moving forward. >> We were early on when recording the, just trying to measure the budget impact of COVID-19, but we were early in recording the work from home shift. About 20% of the CIO organizations that we surveyed, actually spending more, or planning to spend more, but many weren't prepared for this work from home. They had to really beef up, and not just adding licenses of video collaboration software, but security for sure, a VPN infrastructure, et cetera. So, can you talk a little bit about how clients have responded, how you've helped them respond to that shif? How has the threat matrix changed? >> Well, so in terms of the attack surface, you mentioned there's a lot more people working from home, right? So, what we've got is over 220 million people in the United States, over one billion people in India alone, that are now working from home. So as you can imagine, that attack surface has really increased from an attacker perspective, right? And coupled with that, is that since March 1st, we've already seen a 6000% increase in coronavirus related spam. So, you've now got this larger attack surface that organizations need to protect against, and you've got an increase in threats and threat activity that is attacking them. So, from that perspective, pretty difficult for CIOs who are used to defending an environment that may be more on-site, and now have this really wide range of attack surface certainly more difficult for them to respond to. The other thing that we've seen, so one of the things that's super critical in these types of situations is to have an incident response plan, and to make sure that you're testing it. So, in our work that we've done both with our incident response teams, as well as with the teams that train clients in how to respond to breaches more effectively, we've seen that 76% of organizations don't actually have a consistently tested or applied incident response plan, and one in four have no plan at all. So, I will say that in terms of how we're working with clients, the first thing that any organization can do right now, is actually, have a plan and test it. So, if you're starting from scratch, it's really as simple as putting words on paper, understanding how you're going to get a hold of your critical team members, having a backup plan in place for communication strategies if your primary infrastructure goes offline. So making sure you know how to get a hold of your personnel. If you're more mature, then what we're really encouraging our clients to do is have a variety of scenarios that they're testing against, and make sure that they're running through those. So, a great one to practice right now, would be a ransomware attack. In particular, how does your organization respond effectively to it? What do you do when you get the initial notification? Do you have critical and sensitive data that's backed up offline, and not always connected to the network? If so, you're going to be in a much better spot to effectively defend against those attacks and limit any of the negative impact to them. >> So, a couple things I want to sort of follow up in. So, what I heard was you've got more fragile work-from-home infrastructure, and you've got somewhat, well, significantly more vulnerable users. I've often said, bad user behavior is going to trump good security infrastructure every time. So, you've got many more opportunities for the bad guys to get in. And so, I'm hearing that threat response is now more critical than ever. It's always been critical. The communication to the board has been hey, chances are we're going to get infiltrated. We got to find it fast, and it's really about response, incident response. We can build modes, we can build layers, but we have to put a plan for that response. And so, it sounds like that's something that maybe is heightened as a result of this COVID-19 crisis. >> Wendi: Oh, it absolutely is. I think it's now more critical than ever. I think there's two approaches, right? So, one of them would be improvising through chaos, which we don't necessarily encourage, right? There's a difference between that and really managing through disruption, and that's what we're encouraging our clients to do, is look at how we can create sustainable processes and procedures. You may have a very well-established team that does response, but perhaps they haven't worked remotely before. So, that means testing those procedures, now taking them to a scenario where everyone is remote. What does that mean? It may mean that you need to capture less data over the network, because perhaps you just don't have the bandwidth or the capacity to do it. We've certainly looked at how we do that. How do we answer questions that are critically needed from an investigative perspective, for example, but without maybe all the resources that we would prefer to have. So, what we're really looking at, is kind of shifting in the way that we manage through these. And then, you mentioned that users who maybe sometimes make bad decisions, right? We're all guilty of that, because especially with that increase in spam, there's also been an increase in Nation-State actors who are now sending out new lures and new attempts to get access to environments that are related to coronavirus. So, we've got cyber criminals, Nation-State actors, everyone, and we're now at home looking to effectively defend. So, some things that organizations can do with that, would be insuring that they have multi-factor authentication on all remotely accessible systems. So, devices, applications, anything that can be accessed remotely should have multi-factor authentication. That will help limit some of the impact. As it relates to spam, organizations should really be making sure they've got good email spam-filtering systems in place, and if they have the capability to send out some test emails to their employees, they should do that, right? We are getting numb. I will say, our CIO and their office does it at least once a week where I know I'm getting a very well-crafted email, and I have to really think twice, and it's really made me think differently about opening my email, and making sure that I'm doing some due diligence, to make sure I know where the email's coming from. One of the things we do, is also any external email is labeled external, so that way if it's a lure that appears to be, it's coming from another employee, but it's actually coming from an external email address, that's another way to help users make some good decisions, and really limit your attack surface, and reduce the threat. >> I think the points you're making here are very important, because if you think about the work-from-home cadence, it's a lot different. You're not nine to five. I mean, who works nine to five anyway, but your hours are different. Oftentimes, you got children to hone. You got dogs barking, kids are crawling all over us on the video. And so, oftentimes, of course we're frenzied at work, but there's a different kind of frenzy, so you might not be as in tune. So, you're basically saying, exercise that a little bit to get people, like a fire drill, to really get them tuned to being sensitized to such phishing attack. >> Right, well if you think about this from the viewpoint of an attacker, all of those scenarios that you mentioned, where you have a global pandemic. So, we're not just talking about a regional threat, like a hurricane or a tornado. In a case of a pandemic, or any of these type of situations, people are more likely to be reading the news, be probably checking social media more often, so that they can get an understanding of the latest news and information that may impact them. If you're an attacker, you've got now this kind of environment of global chaos that's been created, and you can use it to your advantage, because the reality is, as long as there's money to be made, attackers are going to want to take advantage of that scenario. So, what we're really talking about is, as you're reading your work email, as you're checking your personal email, taking a step back, slowing things down amidst all the distractions, barking dogs and co-workers now that may be at your house, also known as children, right? So, we need to really take a step back, and make sure that we are slowing things down, reading and doing due diligence in opening emails that will help all of the CIO and CISO type organizations more effectively to protect their organizations and their clients as well. >> When you talked about ransomware earlier, and I inferred from your comments that best practice, create an air gap, but I'm wondering also, can analytics play a role there, just in terms of identifying anomalous behavior? What else can I do to protect myself from ransomware? >> Great question. So, on the visibility side, which I think is what you're talking about, right? How do we detect these types of attacks? There's lots of great software out there. Typically, what we would want our visibility at the endpoints. So, usually some sort of EDR tool, which is an endpoint detection and response tool. That's going to allow us to capture things. In the old days, we would talk about antivirus software, and now you really have kind of next generation of antivirus software, which also gives you behavioral analytics and actions on the keyboard. We want to be able to detect that in any size environment. So, the more visibility we have into that, the better, but aside from just adopting new technology, potentially, there are best practices steps that we can take, and I mentioned earlier about making sure that you understand what is your most critical and sensitive data, and that you've got it backed up, and a lot of times we go into environments, and they say, "Well yeah, we have backups." This is great, but what they're not realizing, is that oftentimes those backups are connected to the network at all times, and in the case of a ransomware breach, you typically then will see those backups corrupted as well, and organizations will find themselves in a position where they say, "Well, we don't have any valid backups now "that we can restore from, in order to make sure "that we have a safe environment." And so, it's important that organizations understand and do a survey of what is their most critical and sensitive data, and then make sure that's backed up offline, and I say that, because it's not usually viable for organizations to have all of their data backed up offline. That costs a lot of money. That requires a lot of storage, but to look at really prioritizing their environment, their data within it, and making sure that they can have access to that which is needed, and then ultimately that's going to prevent you even needing to have the conversation about ransomware, because you still have access to that data. >> Yeah Wendi, I think you're making some really important points there. The tech obviously, is critical. People shifting to SD-WAN, securing endpoints, securing gateways, but really the processes are very very important, and I'll just throw out an example. If I'm making a snapshot of the Cloud, I'm not backed up. You better make sure that you understand how to recover from that backup, because just that copy is not a backup. You need the proper type of recovery software. You need to test that. Your thoughts on that. >> Yeah, that's absolutely true. So, what we want to make sure is that during the course of a potential ransomware attack, that the email's critical sensitive data is available offline. So, I mentioned earlier that testing is one of the best things that we're recommending. One of the most effective preparations is having an incident response plan, testing it for particular scenarios, and so in this case, one of the other things that we talk about a lot is limiting the impact of a breach. Every organization is going to get attacked, especially in today's day and age where you've got a larger attack surface. The win is really limiting the impact of that attack, and limiting the cost, and having an incident response plan, and having a team of people, whether they're internal or external that are responsible for responding to attacks, is the number one cost management. The number one decrease in cost is having access to that team. Typically, it will save an organization over a million dollars when the average cost of a data breach is about $4 million. So, that's pretty significant, and ultimately, if we can test, as you mentioned, those backups, that they are available in an offline scenario. In the course of one of those IR program plans or tests, that's great. It's a win for the organization. They can ensure that that data is going to be available, and it really helps them exercise that muscle memory in advance of an actual attack. >> Yeah, so the backup corp is actually becomes a really even more important component now. This has been great information. Where can people go specifically as it relates to COVID-19? I want to go look up a checklist to make sure. I've been scrambling to get my homeworkers up and running, get them productive, but boy, I really want to focus now on the things that I should be doing to button up my organization. Where can I go to learn more about this? >> Yeah, so there's so much great information out there, from everyone in the industry, but IBM is clearly no different. So, what we've done is action repurpose at IBM.com homepage where we've got a tremendous amount of information on COVID-19, and then IBM Security.com as well. Our team that focuses on breach response, has in particular, a site called X-Force Exchange, where we're sharing indicators, and we have a particular component that's related to COVID-19 specifically, and then lastly, we've got a free service, which is a threat intelligence enclave that we are hosting with our partner TruSTAR, that is specific to COVID-19 where industry organizations can sign up and then share in real time, threat indicators related to this, and have really that intelligence that's been also qualified by their peers, and many large organizations are using that to defend their environments. So, a lot of great resources out there. >> Wendy, you're an amazing source of knowledge. Thanks so much for coming on the theCUBE, and thanks to the X-Force team, doing some travel when necessary, and helping people really get a handle on this in this crazy crisis time. So, thank you very much. I really appreciate it. >> You're welcome, and certainly stay safe, and thanks for having me on. >> Back at you. All right, and thank you everybody. This is Dave Vellante for theCUBE. You're watching our continuous coverage of IBM Think 2020 Digital Think. Be right back right after this short break. (uplifting music)