>>Live from Las Vegas. That's the Q covering splunk.com 19 brought to you by Splunk. >>You know, kind of leaning on that heavily. Automation, certainly very important. But what does enterprise and what does enterprise security 6.0 bring to the table. So can you take us through the evolution of where you guys are at with, with Splunk, if you want to handle that enterprise security? So yeah, generally enterprise security has traditionally had really, really good use cases for like the external threats that we're talking about. But like you said, it's very difficult to crack the insider threat part. And so we leveraging machine learning toolkit has started to build that into Splunk to make sure that you know, you can protect your data. And, uh, you know, Tyler and I specifically did this because we saw that there was immaturity in the cybersecurity market for insider threat. And so one of the things that we're actually doing in this top, in addition to talking about what we've done, we're actually giving examples of actionable use cases that people can take home and do themselves. >>Like we're giving them an exact sample code of how to find some outliers. They give me an example of what, so the use case that we go over in the talk is a user logs in at a weird time of day outside of their baseline and they exfiltrate a large amount of data in a low and slow fashion. Um, but they're doing this obviously outside of the scope of their normal behavior. So we give some good searches that you can take home and look at how could I make a baseline, how could I establish that there's deviations from that baseline from a statistical standpoint, and identify this in the future and find the needle in the haystack using the machine learning toolkit. And then if I have a sock that I want to send notables to or some sort of some notification to how do we make that happen, how do we make the transition from machine learning toolkit over to enterprise security or however your SOC operates? >>How do you do that? Do you guys write your own code for that? Or you guys use Splunk? So Splunk has a lot of internal tools and there's a couple of things that need to be pointed out of how to make this happen because we're aggregating large amounts of data. We go through a lot of those finer points in the talk, but sending those through to make sure that they're high confidence is the, is the channel you guys are codifying the cross connect from the machine, learning to the other systems. All right, so I've got to ask, this is basically pattern recognition. You want to look at baselining, how do people, can people hide in that baseline data? So like I'll give you, if I'm saying I'm an evil genius, I say, Hey, I knew these guys looking for Romans anomalies in my baseline, so I'm going to go low and slow in my baseline. >>Can you look for that too? Yeah, there are. There absolutely are ways of, fortunately, uh, there's a lot of different people who are doing research in that space on the defensive side. And so there's a ton of use cases to look at and if you aggregate over a long enough period of time, it becomes incredibly hard to hide. And so the baselines that we recommend building generally look at your 90 day or 120 day out. Um, I guess viewpoint. So you really want to be able to measure that. And most insider threat that happen occur within that 30 to 90 day window. And so the research seems to indicate that those timelines will actually work. Now if you were in there and you read all the code and you did all of the work to see how all of the things come through and you really understood the machine learning minded, I'm sure there's absolutely a way to get in if you're that sophisticated. >>But most of the times they just trying to steal stuff and get out or compromise a system. Um, so is there other patterns that you guys have seen in terms of the that are kind of low hanging fruit priorities that people aren't paying attention to and what's the levels of importance to I guess get ahold of or have some sort of mechanism for managing insider threats? I passwords I've seen one but I mean like there's been a lot of recent papers that have come out in lateral movement and privilege escalation. I think it's an area where a lot of people haven't spent enough time doing research. We've looked into models around PowerShell, um, so that we can identify when a user's maliciously executing PowerShell scripts. I think there's stuff that's getting attention now that when it really needs to, but it is a little bit too late. >>Uh, the community is a bit behind the curve on it and see sharks becoming more of a pattern to seeing a lot more C sharp power shells kind of in hunted down kind of crippled or like identified. You can't operate that way, what we're seeing but, but is that an insider and do that. And do insiders come in with the knowledge of doing C sharp? Those are gonna come from the outside. So I mean, what's the sophistic I guess my question is what's the sophistication levels of an insider threat? Depends on the level a, so the cert inside of dread Institute has aggregated about 15,000 different events. And it could be something as simple as a user who goes in with the intent to do something bad. It could be a person who converted from the inside at any level of the enterprise for some reason. >>Or it could be someone who gets, you know, really upset after a bad review. That might be the one person who has access and he's being socially engineered as well as all kinds of different vectors coming in there. And so, you know, in addition to somebody malicious like that, that you know, there's the accidental, you're phishing campaigns here, somebody's important clicks on an email that they think is from somebody else important or something like that. And you know, we're looking fair for that as well. And that's definitely spear fishing's been very successful. That's a hard one to crack. It is. They have that malware and they're looking at, you can say HR data's out of this guy, just got a bad review, good tennis cinema, a resume or a job opening for, and that's got the hidden code built in. We've seen that move many times. >>Yeah, and natural language processing and more importantly, natural language understanding can be used to get a lot of those cases out. If you're ingesting the text of the email data, well you guys are at a very professional high end from Sai C I mean the history of storied history goes way back and a lot of government contracts do. They do a lot of heavy lifting from anywhere from development to running full big time OSS networks. So there's a lot of history there. What does sustain of the yard? What do you guys look at as state of the art right now in security? Given the fact that you have some visibility into some of the bigger contracts relative to endpoint protection or general cyber, what's the current state of the art? What's, what should people be thinking about or what are you guys excited about? What are some of the areas that is state of the art relative to cyber, cyber security around data usage. >>So, I mean, one of the things, and I saw that there were some talks about it, but not natural language processing and sentiment analysis has gotten, has come a long way. It is much easier to understand, you know, or to have machines understand what, what people are trying to say or what they're doing. And especially, for example, if somebody's like web searching history, you know, and you might think of somebody might do a search for how do I hide downloading a file or something like that. And, and that's something that, well, we know immediately as people, but you know, we have, our customer for example, has 1000000001.2 billion events a day. So you know, if the billion, a billion seconds, that's 30 years. Yeah. So like that's, it's, it's a big number. You know, we, we, we hear those numbers thrown around a lot, but it's a big number to put it in perspective. >>So we're getting that a day and so how do we pick out, it's hard to step of that problem. The eight staff, you can't put stamp on that. Most cutting edge papers that have come out recently have been trying to understand the logs. They're having them machine learning to understand the actual logs that are coming in to identify those anomalies. But that's a massive computation problem. It's a huge undertaking to kind of set that up. Uh, so I really have seen a lot of stuff actually at concierge, some of the innovations that they're doing to optimize that because finding the needle in the haystack is obviously difficult. That's the whole challenge. But there's a lot of work that's being done in Splunk to make that happen a lot faster. And there's some work that's being done at the edge. It's not a lot, but the cutting edge is actually logging and looking at every single log that comes in and understanding it and having a robot say, boom, check that one out. >>Yeah. And also the sentiment, it gets better with the data because we all crushed those billions of events. And you can get a, you know, smiley face or that'd be face depending upon what's happening. It could be, Oh this is bad. But this, this comes back down to the data points you mentioned logs is now beyond logs. I've got tracing other, other signals coming in across the networks. So that's not, that's a massive problem. You need automation, you've got to feed the beast by the machines and you got to do it within whatever computation capabilities you have. And I always say it's a moving train hard. The Target's moving all the time. You guys are standing on top of it. Um, what do you guys think of the event? What's the, what's the most important thing happening here@splunk.com this year? I'd love to have both of you guys take away in on that. >>There's a ton of innovation in the machine learning space. All of the pipelines really that I've, I've been working on in the last year are being augmented and improved by the staff. That's developing content in the machine learning and deep learning space that's belongs. So to me that's by far the most important thing. Your, your take on this, um, between the automation. I know in the last year or so, Splunk has just bought a lot of different companies that do a lot of things that now we can, instead of having to build it ourselves or having to go to three or four different people on top to build a complete solution for the federal government or for whoever your customer is, you can, you know, Splunk is becoming more of a one stop shop. And I think just upgrading all of these things to have all the capabilities working together so that, for example, Phantom, Phantom, you know, giving you that orchestration and automation after. >>For example, if we have an EMS notable events saying, Hey, possible insider threat, maybe they automate the first thing of checking, you know, pull immediately pulling those logs and emailing them or putting them in front of the SOC analyst immediately. So that in, in addition to, Hey, you need to check this person out, it's, you need to check this person out here is the first five pages of what you need to look at. Oh, talking about the impact of that because without that soar feature. Okay. The automation orchestration piece of it, security, orchestration and automation piece of it without where are you know, speed. What's the impact? What's the alternative? Yes. So when we're, right now, when we're giving information to our EES or analysts through yes, they look at it and then they have to click five, six, seven times to get up the tabs that they need to make it done. >>And if we can have those tabs pre populated or just have them, you know, either one click or just come up on their screen for once they open it up. I mean their time is important. Especially when we're talking about an insider threat whom might turn to, yeah, the alternative is five X increase in timespan by the SOC analyst and no one wants that. They want to be called vented with the data ready to go. Ready, alert on it. All right, so final few guys are awesome insights. Walking data upsets right here. Love the inside. Love the love the insights. So final question for the folks watching that are Splunk customers who are not as on the cutting edge, as you guys pioneering this field, what advice would you give them? Like if you had to, you know, shake your friend egg, you know, get off your button, do this, do that. What is the, what do people need to pay attention to that's super urgent that you would implore on them? What would you, what would your advice be once you start that one? >>One of the things that I would actually say is, you know, we can code really cool things. We can do really cool things, but one of the most important things that he and I do as part of our processes before we go to the machine and code, the really cool things. We sometimes just step back and talk for a half an hour talk for an hour of, Hey, what are you thinking about? Hey, what is a thing that you know or what are we reading? What and what are we? And you know, formulating a plan because instead of just jumping into it, if you formulate a plan, then you can come up with you know, better things and augmented and implemented versus a smash and grab on the other side of just, all right, here's the thing, let's let's dump it in there. So you're saying is just for you jump in the data pool and start swimming around, take a step back, collaborate with your peers or get some kind of a game thinking plan. >>We spent a lot of hours, white boarding, but I would to to add to that, it's augment that we spent a lot of time reading the scientific research that's being done by a lot of the teams that are out solving these types of problems. And sometimes they come back and say, Hey, we tried this solution and it didn't work. But you can learn from those failures just like you can learn from the successes. So I recommend getting out and reading. There's a ton of literature in that space around cyber. So always be moving. Always be learning. Always be collaborating. Yeah, it's moving training guys, thanks for the insights Epic session here. Thanks for coming on and sharing your knowledge on the cube, the cube. We're already one big data source here for you. All the knowledge here at.com our seventh year, their 10th year is the cubes coverage. I'm John furry with back after this short break.