(upbeat music) >> Welcome everyone to theCUBE presentation of the AWS Startup Showcase, the theme here is Data as Code. This is season two, episode two of our ongoing series covering the exciting startups from the AWS ecosystem. And talk about the future of data, future of analytics, the future of development and all kind of cool stuff in Multicloud. I'm your host, John Furrier. Today we're joined by Ed Bailey, Senior Technology, Technical Evangelist at Cribl. Thanks for coming on the queue here. >> I thank you for the invitation, thrilled to be here. >> The theme of this session is the observability lake, which I love by the way I'm getting into that in a second. A breach investigation's best friend, which is a great topic. Couple of things, one, I like the breach investigation angle, but I also like this observability lake positioning, because I think this is a teaser of what's coming, more and more data usage where it's actually being applied specifically for things here, it's observability lake. So first, what is an observability lake? Why is it important? >> Why it's important is technology professionals, especially security professionals need data to make decisions. They need data to drive better decisions. They need data to understand, just to achieve understanding. And that means they need everything. They don't need what they can afford to store. They don't need not what vendor is going to let them store. They need everything. And I think as a point of the observability lake, because you couple an observability pipeline with the lake to bring your enterprise of data, to make it accessible for analytics, to be able to use it, to be able to get value from it. And I think that's one of the things that's missing right now in the enterprises. Admins are being forced to make decisions about, okay, we can't afford to keep this, we can afford to keep this, they're missing things. They're missing parts of the picture. And by bringing, able to bring it together, to be able to have your cake and eat it too, where I can get what I need and I can do it affordably is just, I think that's the future, and it just drives value for everyone. >> And it just makes a lot of sense data lake or the earlier concert, throw everything into the lake, and you can figure it out, you can query it, you can take action on it real time, you can stream it. You can do all kinds of things with it. Verb observability is important because it's the most critical thing people are doing right now for all kinds of things from QA, administration, security. So this is where the breach piece comes in. I like that's part of the talk because the breached investigation's best friend, it implies that you got the secret sourced to behind it, right? So, what is the state of the breach investigation today? What's going on with that? Because we know breaches, we see 'em out there, but like, why is this the best friend of a breach investigator? >> Well, and this is unfortunate, but typically there's an enormous delay between breach and detection. And right now, there's an IBM study, I think it's 287 days, but from the actual breach to detection and containment. It's an enormous amount of time. And the key is so when you do detect a breach, you're bringing in your instant, your response team, and typically without an observability lake, without Cribl solutions around observability pipeline, you're going to have an incomplete picture. The incident response team has to first to understand what's the scope of the breach. Is it one server? Is it three servers? Is it all the servers? You got to understand what's been compromised, what's been the end, what's the impact? How did the breach occur in the first place? And they need all the data to stitch that together, and they need it quickly. The more time it takes to get that data, the more time it takes for them to finish their analysis and contain the breach. I mean, hence the, I think about an 87, 90 days to contain a breach. And so by being able to remove the friction, by able to make it easier to achieve these goals, what shouldn't be hard, but making, by removing that friction, you speed up the containment and resolution time. Not to mention for many system administrators, they don't simply have the data because they can afford to store the data in their SIEM. Or they have to go to their backup team to get a restore which can take days. And so that's-- It's just so many obstacles to getting resolution right now. >> I mean, it's just, you're crawling through glass there, right? Because you think about it like just the timing aspect. Where is the data? Where is it stored and relevant and-- >> And do you have it at all? >> And you have it at all, and then, you know, that person doesn't work anywhere, they change jobs. I mean, who is keeping track of all this? You guys have now, this capability where you can come in and do the instrumentation with the observability lake without a lot of change to the environment, which is not the way it used to be. Used to be, buy a tool, build a platform. Cribl has a solution that eases the struggles with the enterprise. What specifically is that pain point? And what do you guys do specifically? >> Well, I'll start out with kind of example, what drew me to Cribl, so back in 2018. I'm running the Splunk team for a very large multinational. The complexity of that, we were dealing with the complexity of the data, the demands we were getting from security and operations were just an enormous issue to overcome. I had vendors come to me all the time that will solve your problems, but that means you got to move to our platform where you have to get rid of Splunk or you have to do this, and I'm losing something. And what Cribl stream brought into, was I could put it between my sources and my destinations and manage my data. And I would have flow control over the data. I don't have to lose anything. I could keep continuing use our existing analytics tools, and that sense of power and control, and I don't have to lose anything. I was like, there's something wrong here. This is too good to be true. And so what we're talking about now in terms of breach investigation, is that with Cribl stream, I can create a clone of my data to an object store. So this is in, this is almost any object store. So it can be AWS, it could be the other vendor object stores. It could be on-prem object stores. And then I can house my data, I can house all my data at the cheapest possible price. So instead of eating up my most expensive storage, I put all my data in my object store. And I only put the data I need for the detections in my SIEM. So if, and hopefully never, but if you do have a breach, lock stream has a wonderful UI that makes a trivial to then pick my data out of my object store and restore it back into my SIEM so that my IR team has to develop a complete picture of how the breach happen. What's the scope? What is their lateral movement and answer those questions. And it just, it takes the friction away. Just like you said, just no more crawling over glass. You're running to your solution. >> You mentioned object store, and you're streaming that in. You talk about the Cribble stream tool. I'm assuming there when you're streaming the pipeline stuff, but is there a schema involved? Is there database challenges? What, how do you guys look at that? I know you're vendor agnostic. I like that piece, you plug in and you leverage all the tools that are out there, Splunk, Datadog, whatever. But how about on the database side, what's the impact there? >> Well, so I'm assuming you're talking about the object store itself, so we don't have to apply the schema. We can fit the data to whichever the object store is. We structure the data so it makes it easier to understand. For example, if I want to see communications from one IP to another IP, we structure it to make it easier to see that and query that, but it is just, we're-- Yeah, it's completely vendor neutral and this makes it so simple, so simple to enable, I think-- >> So no pre-defined schema needed. >> No, not at all. And this, it made it so much easier. I think we enabled this for the enterprise. I think it took us three hours to do, and we were able to then start, I mean, start cutting our retention costs dramatically. >> Yeah, it's great when you get that kind of value, time to value critical and all the skeptics fall to the sides pretty quickly. (chuckles) I got to ask you, well, go ahead. >> So I say, I mean, previously, I would have to go to our backup team. We'd have to open up a ticket, we'd have to have a bridge, then we'd have to go through the process of pulling tape and being, it could take, you know, hours, hours if not days to restore the amount of data we needed. And just it, you know, we were able to run to our goals, and solve business problems instead of focusing on the process steps of getting things done. >> Right, so take me through the architecture here and some customer examples, 'cause you have the Cribble streaming there, observability pipeline. That's key, you mentioned that. >> Yes. >> And then they build out these observability lakes from that. So what is the impact of that? Can you share the customers that are using that solution? What are they seeing for benefits? What are some of the impact? Can you give us some specifics? >> I mean, I can't share with all the exact customer names. I can definitely give you some examples. Like referenceable conference would be TransUnion, so that I came from TransUnion. I was one of the first customers and it solved enormous number of problems for us. Autodesk is another great example. The idea that we're able to automate and data practices. I mean, just for example, what we were talking about with backups. We'd have to, you have to put a lot of time into managing your backups in your inner analytics platforms, you have to. And then you're locked into custom database schemas, you're locked into vendors. And it's also, it's still, it's expensive. So being able to spend a few hours, dramatically cut your costs, but still have the data available, and that's the key. I didn't have to make compromises, 'cause before I was having to say, okay, we're going to keep this, we're going to just drop this and hope for the best. And we just don't, we just didn't have to do that anymore. I think for the same thing for TransUnion and Autodesk, the idea that we're going to lower our cost, we're going to make it easier for our administrators to do their job and so they can spend more time on business value fundamentals, like responding to a breach. You're going to spend time working with your teams, getting value observability solutions and stop spending time on writing custom solutions using to open source tools. 'Cause your engineering time is the most precious asset for any enterprise and you got to focus your engineering time on where it's needed the most. >> Yeah, and they can't underestimate the hassle and cost of ownership, of swapping out pre-existing stuff, just for the sake of having a functionality. I mean that's a big-- >> It's pain and that's a big thing about lock stream is that being vendor neutral is so important. If you want to use the Splunk universal forwarder, that's great. If you want to use Beats, that's awesome. If you want to use Fluentd, even better. If you want to use all three, you can do that too. It's the customer choice and we're saying to people, use what suits your needs. And if you want to write some of your data to elastic, that's great. Some of your data to Splunk, that's even better. Some of it to, pick your pick, fine as well or Exabeam. You have the choices to put together, put your own solutions together and put your data where you need it to be. We're not asking you only in our ecosystem to work with only our partners. We're letting you pick and choose what suits your business. >> Yeah, you know, that's the direction I was just talking about the Amazon folks around their serverless. You know, you can use any tool, you know, you can, they have that core architecture for everything, the S3 and then pick whatever you want to use. SageMaker, just that other thing. This is the new way. That's the way it has to be to be effective. How do you guys handle that? What's been the reaction from customers? Do they like, roll their eyes and doubt you guys, or can you do it? Are they skeptical? How fast can you convert 'em over? (chuckles) >> Right, and that's always the challenge. And that's, I mean, the best part of my day is talking to customers. I love hearing and feedback, what they like, what they don't and what they need. And of course I was skeptical. I didn't believe it when I first saw it because I was like this, you know, because I'm, I was used to being locked in. I was used to having to put a lot of effort, a lot of custom code, like, what do you mean? It's this easy? I believe I did the first, this is 2018, and I did our first demos, like 30 minutes in, and I cut about 1/2 million dollars out of our license in the first 30 minutes in our first demo. And I was stunned because I mean, it's like, this is easy. >> Yeah, I mean-- >> Yeah, exactly. I mean, this is, and then this is the future. And then for example, we needed to bring in so like the security team wanted to bring in a UBA solution that wasn't part of the vendor ecosystem that we were in. And I was like, not a problem. We're going to use log stream. We're going to clone a copy of our data to the UBA solution. We were able to get value from this UBA solution in weeks. What typically is a six month cycle to start getting value. And it just, it was just too easy and the best part of it. And the thing is, it just struck me was my engineers can now spend their time on delivering value instead of integrations and moving data around. >> Yeah, and also we can spend more time preventing breaches. But what's interesting is counterintuitive here is that, if you, as you add more flexibility and choice, you'd think it'd be harder to handle a breach, right? So, now let's go back to the scenario. Now you guys, say an organization has a breach, and they have the observability pipeline, They got the lake in place, your observability lake, take me through the investigation. How easy is it, what happens? How they start it, what goes on? >> So, once your SOC detects a breach, then they bring in the idea. Typically you're going to bring in your incident response team. So what we did, and this is one more way that we removed that friction, we cleaned up the glass, is we delegate to the instant response team, the ability to restore, we call it-- So if Cribl calls it replay, we play data at our object store back into your SIEM. There's a very nice UI that gives you the ability to say, "I want data from this time period, at this time period, I want it to be all the data." Or the ability to filter and say, "I want this, just this IP." For example, if I detected, okay, this IP has been breached then I'm going to pull all the data that mentions this IP and this timeframe, hit a button and it just starts. And then it's going to restore how as fast your IOPS are for your solution. And then it's back in your tool, it's back in your tool. One of the things I also want to mention is we have an amazing enrichment capability. So one of the things that we would do is we would've pipelines so as the data comes out of the object store, it hits the pipeline, and then we enrich it. We hit use GoIP information, perverse and NAS. It gets processed through threat Intel feed. So the data's already enriched and ready for the incident response people to do their job. And so it just, it bamboozle the friction of getting to the point where I can start doing my job. >> You know, at this theme, this episode for this showcase is about Data as Code. And which is, you know, we've been, I've been saying this on theCUBES for since it was being around 13 years ago, that developers are going to be dealing with data like they deal with software code, and you're starting to see, you mentioned enrichment. Where do you see Data as Code going? How relevant in it now, because we really talking about when you add machine learning in here, that has to be enriched, and iterated on too. We're talking about taking things off a branch and putting it back into the core. This is a data discussion, this isn't software, but it sounds the same. >> Right, and this is something that the irony is that, I remember first time saying it to an auditor. I was constantly going with auditors, and that's what I described is I'm going to show you the code that manages the data. This is the data's code that's going to show you how we transform it, how we secure it, where the data goes, how it's enriched. So you can see the whole story, the data life cycle in one place. And that's how we handled our orders. And I think that is enormously, you know, positive because it's so easy to be confused. It's so easy to have complexity to get in the way of progress. And by being able to represent your Data as Code, it's a step forward 'cause the amount of data and the complexity of data, it's not getting simpler, it's getting more complex. So we need to come up with better ways to handle it. >> Now you've been on both sides of the fence. You've been in the trenches as customer, now you're a supplier with Great Solution. What are people doing with this data engineering roles? Because it's not enough data engineering. I mean, 'cause if you say Data as Code, if you believe that to be true and many people do, we do. And you looked at the history of infrastructure risk code that enabled DevOps, AIOps, MLOps, DataOps, it's happening, right? So data stack ops is coming. Obviously security is huge in this. How does that data engineering role evolve? Because it just seems more and more that there's going to be a big push towards an SRE version of data, right? >> I completely agree. I was working with a customer yesterday, and I spent a large part of our conversation talking about implementing development practices for administrators. It's a new role. It's a new way to think of things 'cause traditionally your Splunk or elastic administrators is talking about operating systems and memory and talking about how to use proprietary tools in the vendor, that's just not quite the same. And so we started talking about, you need to have, you need to start getting used to code reviews. Yeah, the idea of getting used to making sure everything has a comment, was one thing I told him was like, you know, if you have a function has to have a comment, just by default, just it has to. Yeah, the standards of how you write things, how you name things all really start to matter. And also you got to start adding, considering your skillset. And this is some mean probably one of the best hire I ever made was I hired a guy with a math degree, because I needed his help to understand how do machine learning works, how to pick the best type of algorithm. And I think this is going to evolve, that you're going to be just away from the gray bearded administrator to some other gray bearded administrator with a math degree. >> It's interesting, it's a step function. You have a data engineer who's got that kind of capabilities, like what the SRA did with infrastructure. The step function of enablement, the value creation from really good data engineering, puts the democratization playback on the table, and changes, >> Thank you very much John. >> And changes that entire landscape. How do you, what's your reaction to that? >> I completely agree 'cause so operational data. So operational security data is the most volatile data in the enterprise. It changes on a whim, you have developers who change things. They don't tell you what happens, vendor doesn't tell you what happened, and so that idea, that life cycle of managing data. So the same types of standards of disciplines that database administrators have done for years is going to have, it has to filter down into the operational areas, and you need tooling that's going to give you the ability to manage that data, manage it in flight in real time, in order to drive detections, in order to drive response. All those business value things we've been talking about. >> So I got to ask you the larger role that you see with observability lakes we were talking before we came on camera live here about how exciting this kind of concept is, and you were attracted to the company because of it. I love the observability lake concept because it puts all that data in one spot, you can manage it. But you got machine learning in AI around the corner that also can help. How has all this changed in the landscape of data security and things because it makes a lot of sense, and I can only see it getting better with machine learning. >> Yeah, definitely does. >> Totally, and so the core issue, and I don't want to say, so when you talk about observability, most people have assumptions around observability is only an operational or an application support process. It's also security process. The idea that you're looking for your unknown, unknowns. This is what keeps security administrators up at night is I'm being attacked by something I don't know about. How do you find those unknown? And that's where your machine learning comes in. And that's where that you have to understand there's so many different types of machine learning algorithms, where the guy that I hired, I mean, had started educating me about the umpteen number of algorithms and how it applies to different data and how you get different value, how you have to test your data constantly. There's no such thing as the magical black box of machine learning that gives you value. You have to implement, but just like the developer practices to keep testing and over and over again, data scientists, for example. >> The best friend of a machine learning algorithm is data, right? You got to keep feeding that data, and when the data sets are baked and secure and vetted, even better, all cool. Had great stuff, great insight. Congratulations Cribl, Great Solution. Love the architecture, love the pipelining of the observability data and streaming that in to a lake. Great stuff. Give a plug for the company where you guys are at, where people can get information. I know you guys got a bunch of live feeds on YouTube, Twitch, here in theCUBE. Where else can people find you? Give the plug. >> Oh, please, please join our slack community, go to cribl.io/community. We have an amazing community. This was another thing that drew me to the company is have a large group of people who are genuinely excited about data, about managing data. If you want to try Cribl out, we have some great tool. Try Cribl tools out. We have a cloud platform, one terabyte up free data. So go to cribl.io/cloud or cribl.cloud, sign up for, you know, just never times out. You're not 30 day, it's forever up to one terabyte. Try out our new products as well, Cribl Edge. And then finally come watch Nick Decker and I, every Thursday, 2:00 PM Eastern. We have live streams on Twitter, LinkedIn and YouTube live. And so just my Twitter handle is EBA 1367. Love to have, love to chat, love to have these conversations. And also, we are hiring. >> All right, good stuff. Great team, great concepts, right? Of course, we're theCUBE here. We got our video lake coming on soon. I think I love this idea of having these video. Hey, videos data too, right? I mean, we've got to keep coming to you. >> I love it, I love videos, it's awesome. It's a great way to communicate, it's a great way to have a conversation. That's the best thing about us, having conversations. I appreciate your time. >> Thank you so much, Ed, for representing Cribl here on the Data as Code. This is season two episode two of the ongoing series covering the hottest, most exciting startups from the AWS ecosystem. Talking about the future data, I'm John Furrier, your host. Thanks for watching. >> Ed: All right, thank you. (slow upbeat music)

(upbeat music) >> Announcer: Live from Orlando Florida, it's theCUBE, covering .conf18. Brought to you by Splunk. >> Welcome back to .conf18 everybody. I'm Dave Vellante with Stu Miniman, and you're watching theCUBE, the leader in live tech coverage. We love to go out to the events, extract the signal from the noise. A lot of focus today, Stu, on security and Haiyan is here. Haiyan Song is the Senior Vice President and General Manager of Security at Splunk. Great to see you again. >> Thank you for having me. >> You're very welcome. Fifth time I think for you on theCUBE So you're super alum. And really always appreciate your deep knowledge. As I said, today was security day. A lot of customers talking about security. It's obviously a strong hold of Splunk. But, give us the update. What's new this year with you? We talked a year ago in D.C. What's happening with you guys? >> Well this is the year that we really went out and shared our vision of what SOC looks like in 2020. And we call it the Vision of SOC 2020. And on a very high level, we envision that in a couple of years with the technology like analytics, and operations, automation, orchestration, we envision that 90% of the Tier 1 work that a SOC analyst would be doing will be automated. And with that automation we are envisioning that most of the time, more than 50% of the time, the SOC analyst can actually focus on detection logic and really responding to things, that requires the human skills and insights. And we're also envisioning that by that time, there will be a place, one place, where things for response gets orchestrated versus people have to go to twenty different places trying to figure out what's going on. So, that sort of, from a business perspective but to deliver that, there's really, sort of ten, we share the ten big we call it core capabilities, that capability road map to SOC 2020. And for us, we feel really fortunate that with the acquisition of Phantom, we are really able to bring that full stack together, to deliver that capability. So we have data platform. You heard all the exciting news on what we are doing, with data fabric search, stream processing, and amplifying the performance analytics. You heard all those things that we're putting into IT, and security, ES, UBA, and then last but not least is the ability to orchestrate, to automate, to collaborate. So I think we're really uniquely positioned, because we can bring all three together. That's the full stack to deliver on that vision. >> So let's talk a little bit more about that vision. So, I mean my rudimentary understanding is you really had a reactive mode in the past. It's kind of herding cats, trying to figure out, okay I'm going to to try to respond to an incident. Then you started to use data and analytics to try to prioritize, to focus on those things that aren't going to be a false positive or of high value. What you're putting forth is a vision where a lot of that heavy lifting goes away. Machine intelligence is either augmenting, or making decisions about which items to go after. Talk more about that world. What does it look like? What's the role of the security professional in that new world? >> Yeah, there's two parts we do in the Security Operations Center. Detecting things and responding things and taking care of sort of the incidents. So a lot of the things you really touched on is how we have applied machine learning and analytics and really leveraging the business context. The feature we talked about, the distribute, the data fabric search is a really powerful tool. Now we can reach out and get lot more information to help you make better decisions to reduce the reshow of noise to signal, or signal to noise, and whichever way you want to see it up and down. So, that world we expect more machine learning, more data modeling, more threat modelings so we can really sort of incorporate business, sort of context, so risks become a one key thing to help people prioritize. That's our product ES, and UBA, and you heard about the whole predictive capabilities in IT. I think all of those will be sort of that world. And the second part of what we do is if something does happen now we really got the signal. What do you do about it? We envision that world lot of initial men did prep work. Like, oh I want to find out if this ID belongs to which organization? Is this really a signature in the virus total, sort of database and what happened, so that whole prep hopefully, will be done for you before you even get started into an incident. And furthermore, if we have responded to those type of incidents before, we actually would like to give you a recommendation, this is what happened before, this is what worked, and why don't you think about this playbook and automate this part? So, I think the world in 2020, is going to be a lot of augmentation. >> One of the things we've heard from a number of your customers, is security in DevOps and how they are using the DevOps mentality to make security more pervasive and integrated in everything they do. Could you explain how Splunk fits into that discussion? >> Yeah, so DevSecOps, I think that's, sort of, the term you might be eluding to and I think the cloud adoption, the acceleration, and the new IT is really, sort of, bringing that into focus for us. Splunk plays to that in several ways. We have a security business, we have a IT business, and you may have heard we just acquired another company called VictorOps after Phantom. So they're really helping the DevOps world and try to coordinate and enable collaboration. So we definitely expect that capability will show up in the security side to help the DevOps, DevSecOps' world and we are also, as a company, taking data security really seriously. So we are putting a lot of, you know, you saw the data stream processing and one of the capabilities to obfuscate credit card and for GDPR and a lot of other things, there's that mending. You got to give people the control of things so there is a lot of that. We're taking into consideration and putting that into the product and the other thing is, really, we ourselves operate probably one of the biggest, sort of, cloud capabilities on AWS and we have infused a lot of best practices around, how do you automate? How do you protect? How do you be compliant? And how do you insure customer have control? And there's a lot of work we're doing there and practicing DevSecOps ourselves. >> Haiyan, in thinking about the Splunk portfolio and in the context of the vision that you guys laid out, how does Splunks existing portfolio fit in to that vision and where are the gaps? What has to evolve, whether it's your capabilities, or the industry's MI, ML, or machine learning capabilities? Where are the gaps? >> So I think in many ways the ten core capabilities were laid out. I going to try to go through them in my head. So. >> Okay. >> Ingest. Detect. Predict. and then automate. Orchestrate. Recommend. Investigate. Case Management. Collaborate. And reporting. So those are the ten. When we were sharing with our audience, we actually look at our ES, UBA, and Phantom. We are able to give them all those capabilities to get started on their path for SOC 2020. But we also realize and recognize that all those capabilities, I'll give you an example, Case Management, now there is more and more requirements coming to the security side to say I want you to bring all the different things together, and I want you to take in the automated playbooks and how this plays into those, so there's always room for us to continue to enhance those capabilities. But, we also see the opportunity for us to bring all those things in a more seemless way into, sort of, one full stack, the full stack that gives you, you know, I don't know if you heard the term, powering the OODA Loop? Right, the observe, orient, decide, and act. And that was really, sort of, military strategy for the fighter pilots to say the whole premise is whoever can power that loop, and execute the fastest, wins. >> It's like readying fire but more data focused. >> More data focused, I like that. So for us, it's really how do we bring the portfolio together, so they can really power that loop in a very intuitive way. And in a very open way. I want to make sure that I iterate that reiterate our commitment to be open. There's data layer, there is analytics layer, there's operational layer. We want to be that company can bring the full stack make them work really well. But, in the meantime work well with other data, with other analytics, detection engines, and other ways to operate. So being open is very important. >> And you'll automate as many of those or all of those ten that you mentioned. Do you automate the run book? >> Automated run book is what Phantom is all about and the run book gets more and more sophisticated and I think we give people the ways to say if on day one, you don't want to automate everything, especially shutting down his email, then you have the choice. But, it's as you learn, as you become more confidence, and you have that under your control. How much you want to automate, and hopefully, as more automated actions are taken, we get to analyze those and start making recommendations so you become more comfortable with that. >> So I understand New York Presbyterian was in your session. And, you were talking about going beyond security. I often like to say that security and privacy are two different sides of the same coin. But, when they talked about going, well share with us, what you learned from them. >> Yeah you have really the best phrase to say they are both sides and as a security professional in the digitized world I don't think you have a boundary to say my job starts with SOC and ends with SOC. It goes way beyond. It goes into data privacy. It goes into even fraud analytics, because a lot of things are happening online. It also goes into compliance. And, it's interesting that we thought years ago, compliance was driving investment. I think now with GDPR, with some of the data privacy challenges we've seen, that's impacting the masses, the criticalness of compliance is actually coming back. So the story that I was super impressed that our customer, New York Presbyterian shared with us is they had a challenge of really managing all this sort of patient records, and try to understand the staff's activities. Because, the auditors have a certain set of things. You know you shouldn't be snooping around the patient's record, if its your neighbor, or your buddy. So they used Splunk and they powered, sort of, us with a lot of the data from various applications. They have probably 20 data sources, that's very healthcare centric. We partnered up, we had our product expert, and fraud experts on that. And, we built a privacy platform, a early version of that, and they showed it to their privacy officers, and they basically said we've not seen anything like this to give us the flexibility and ease of use to be able to bring everything together. And, they did even more than that. If you have time I'll share with you on the opiate diversion capabilities they started building with. >> Dave: Oh, yeah talk about that, yeah please >> So we were thinking, we're just going to help them with compliance that makes their organization more compliant and better, but they didn't stop there. They said well, based on the power we're able to, really, leverage from the Splunk platform, we see the data we have for our pharmacies, there's a lot of prescription, sort of, information and with the world that's battling the opiate epidemic, we think we can actually analyze the data and give us early patterns and earnings, warnings of what might be happening. So, that's the next project we're partnering up. And for us we have technology, and customer have domain knowledge, have data. I think that's a great partnership. And they are willing, they are wanting us to go evangelize 'cause they want the whole industry to benefit, they want the nation to benefit. >> Well we saw this week on 60 Minutes, did you see that story? The one pharmaceutical company got in big trouble and a doctor went to jail. The pharmaceutical company was shipping 500 million Oxycontin pills into Florida. This is a state with a population of 20 million. Something was wrong. Obviously those were hitting the streets. And, this individual this doctor went to jail for life. So, data analysis could identify that. >> Data was there. I think it's the inside to look for the ways, to look for those things and having that inside drive decisions is really the partnership we have with our customers >> We're seeing that, g'head Stu. >> Yeah I was just, you spoke on a panel of the Grace Hopper event. >> Haiyan: Last week. >> We've been hearing great messages of diversity at this show. You had the Carnival Cruise CEO up on stage giving some great discussion points yesterday. Maybe you could share a little bit of your experience at the show and the panel that you were on. >> The Grace Hopper is such an amazing event and we see so many college grads and people, sort of, starting their career and that is like the go to place. And I see all the big companies, big, or small actually, putting so much effort to try to really evangelize to that audience. 'Cause California just passed, the Governor just signed into law, they require a woman on the board, as part of the requirements because diversity is being proven to bring better decision making into the board and I, myself, can tell you that my security leadership team over the years become more and more diverse. I don't think diversity is just gender diversity. I think diversity needs to go beyond gender. It's background where people who are from the private sector, from the government, where people from different Geo's of the world. That sort of richness of perspective always give us the best, sort of, angles to think about and validating, and debating on our, sort of, strategies. And going back to Grace Hopper, the panel that I was on was really sharing with the people who are there, what are some of the things that you should be prepared for if you want a cyber security career. And the part is not try to, oh here's a high bar. We really try to encourage everyone, whether you're technical, or you just having great analytical skills. I think one of my fellow panelist, she made a comment I thought was super funny. She was a CEO of a company and she said, sometimes women just have to have enough confidence and to go take the risk, grab the opportunity. She use the word, sometimes you have to fake it until you prove it and until you make it. And she's really just encouraging the attendees, just step up take the opportunity. I am in total agreement with that. >> Lean in baby. >> Lean in. That's another way to do it. >> Haiyan thanks so much for coming back in theCUBE. Really great to see you again. >> Thank you for having me. >> You're very welcome. All right, keep it right there everybody. Stu and I will be right back with our next guest. Right after this short break. We're live from Orlando, Splunk .conf18 You're watching theCUBE. (upbeat music)

>> Announcer: Live from Washington DC, it's theCUBE, covering .conf2017, brought to you by Splunk. >> Well good morning, welcome to day two, Splunk .conf2017 here in Washington DC, theCUBE very proud to be here again for the seventh time I believe this is. John Walls, Dave Vellante. Good morning, sir, how are you doing, David? >> I'm doing well thank you. >> Did you have a good night? >> Yeah, great night. >> DC, I know your son's here >> Walked round the district a little bit, yeah, it was good. >> It's good to have you here. >> At the party last night upstairs, (John laughs) talked to a few customers, trying to find out what they didn't like about Splunk, and it was not a lot of things. >> That would be a short conversation I think. We can do us, we got a couple of keynote rockstars with us this morning, Haiyan Song, who's the Senior Vice President of Security Markets at Splunk. Haiyan, good to see you again. >> Great to see you too. >> John: Thanks for coming back, Monzy Merza, who was the Head of Cybersecurity Research at Splunk. >> Thank you for having me. >> John: Monzy, commanding the stage with great acumen today, good job there. >> Monzy: Thank you. >> Yeah we'll get into that a little bit later. But first off, let's just kind of set the table here a little bit. I know this is a bit of transformational year for you in terms of security, in how you're building out your portfolio, and your services, and so kind of walk us through that. What are you doing, Haiyan, in terms of, I guess being available, right, for whomever, whenever, wherever they are in their security journey you might say. >> Journey is the keyword this year, and nerve center is another one that I highlighted at my super session yesterday. So when I reflect on, this is your seventh year, and when I reflect on the last three years, right, we came in and really talked about the enterprise security product on the first year. And second year we talked about, you know, how UBA adds to the capabilities for better detection and machine learning. We introduced different features. This year we didn't start the conversation on, "Here's a new feature". This year we started the conversation on you need to build a security nerve center. That's the new defense system. And there's a journey to get there, and our role is to enable you on that journey every step of the way. So it's portfolio message, and not only for the very advanced customers, who want machine learning, who want to customize the thread models. Also for people who just started, to say I have the data, and help me get more insight into this, or help me understand how leverage machine data across domains to really correlate and connect the dots, and do investigations. Or what are the important things to set up the basic operations. Very, very excited about the ability, transformational year, as you mentioned, that we can bring the full portfolio to our customer. >> So, Monzy, you've said in your keynote today, defenders can succeed. We talked off camera, you're an optimist. And all we need is this nerve center. So to date, has that nerve center been missing, has it been there and people haven't been able to take advantage of it, have the tools been too complicated? I wonder if you could unpack that a little bit? >> I think what's happened over the course of many years, as the security ecosystem matures and evolves, there are a lot of expert technologies in a variety of different areas, and it's a matter of bringing those expert technologies together, so that the operations teams can really take advantage of them. And you know, it's one thing to have a capability, but it's another to leverage that capability along with another capability and combine the forces together, and really that's the message, that's Haiyan's message, that's been there for the nerve center, that we can bring together. And so when I say the defender has an advantage, I mean that, because I feel that the operations teams, the IT teams, as well as the security teams, have laid out a path, and the attacker cannot escape that path. You have to walk down a certain path to get to something to achieve or to steal or to do whatever, or damage that you need to do. So when you have a nerve center, you can bring all the instrumentation that's been placed along those path to make use of it. So the attacker has to work within that terrain. They cannot escape that terrain. And that's what I mean, is the nerve center allows for that to occur. >> Now you guys have talked for a long time about bringing analytics and security, those worlds together. We've always been a big obviously proponent of that, but spending's just starting to shift, right. They're still spending a lot of money on the perimeter. I guess you have to. We all see the numbers, security investments continue to increase. But where are we today with regard to analytics and being able to proactively both identify and remediate? >> So I just echo what you just said. I'm so pleased to see the industry started the shifts. I think being analytics-driven is really top of mind for people, and using machine learning automation to help really speed up the detection and even response are top of mind. We just did a CISO Customer Advisory Report on Monday, and we always ask when we start the meetings, "Tell us your top of mind challenges, "tell us your top of, you know two investment, and what's the recommendation for Splunk?" And better, faster response, better faster detection and automation and analytics is top of mind for everybody. So for us, this year, extremely, extremely happy to talk about how we're completing that narrative for analytics-driven security. >> Well on that point, you talk about analytics stories, and filling gaps, putting an entire narrative together so that somebody could loosen up the nuts, and they can see exactly where intrusions occur, what steps could be taken, and so on and so forth. So, I mean, dig a little deeper on that for us, maybe Monzy, you can jump on that, about what this concept of analytics stories, and then how you're translating that into your workplace. >> We thought about this for quite some time in terms of drilling down and saying, as analysts and practitioners, what is it that we desire? The security research team at Splunk is composed of people who spend many, many years in the trenches. So what do we want, what did we always want, and what was hard? And instead of trying to approach it from the perspective of, you know, let's just connect the dots, really take an adversarial model approach to say, "What does an adversary actually do?" and then as a defender, what do I do when I see certain things happening? And I see things on the network, I see things on the end point, and that's good, and a lot of people talk about that. But what do I do next? As the analyst, where do I go, and what would be helpful to me? So we took this concept of saying, let's not call them anything else, we actually fought over this for quite some time. These are not use cases, because use case has a very different connotation. We wanted stories because an adversary starts somewhere, adversary takes some action. The defender may see some of that action, but then the defender carries on and does other things, so we really had this notion of a day in the life, and we wanted to capture that day in the life of the prospective of what's important to their business, and really encapsulate that as a narrative, so that when the analysts and security operations teams get their hands on this stuff, they're not bootstrapping their way through the process. They have a whole story that they can play through, and they can say, and if it doesn't make sense to them, that's okay, they can modify the story, and then have a complete narrative to understand the threat, and to understand their own actions. >> So we hear the stat a lot about how long it takes for organizations to identify an intrusion. It ranges I've been seeing, you know, service now flashing 191, I've seen it as high as 320. I'm not sure there's clear evidence that that number's compressing. I think it's early days there, but presumably analytics can help compress that number, but when I think about things like, you know, zero day signatures, and other very high tech factors that are decades old now. Can analytics help us solve those problems? Can the technology, which kind of got us into this mess, get us out of the mess? (Monzy and Haiyan laugh) >> That's such a great point. It is the technology that just made our lives so much easier, as you know, living, and then it complicate it so much for security people. I'll give you a definitive yes, right. Analytics are there to help detect early warning signs, and it will help us, may not be able to just change the stats right now for the whole industry, I'm sure it's changing stats for a lot of the customers, especially when it comes to remediation. The more readily available the data is for you when you are sort of facing an incident, the faster you can get to the root cause and start remediate. That we have seen many of our customers talk about how it was going from weeks to days, days to hours, and that includes not just technology, but also process, right? Process streamline and automating some of the things, and freeing up the people to do the things that they're great at, versus the mundane things, trying to collect the information. So I'm also a glass half full person, optimist, that's why we work together so well, that we really think being data driven, being analytics driven, is changing the game. >> What about the technology of the malware? I think it was at a .conf, I think it was 2013, one of your guest speakers gave us an inside look at Stuxnet. Of course by then it was seven, eight years old, right? But it was fascinating, and you know you read more about it, and you learn more about it, and it's insidious. Has the technology on the defender side, I guess was my real question, accelerated to keep up with that pace? Where are we at with the bad technology and the good technology? Are they at a balance now, an equilibrium? >> I think it's going to be a constant evolutionary process. It's like anything else, you know, whether you look at thieves or whether you look at people who are trying to create new innovative solutions for themselves. I think the key that, this is the reason why I said this morning, is that defenders can have, I think I said unfair advantage, not just an advantage. And the reason for that is, some of the things Haiyan talked about, with analytics, and with the availability of technology that can create a nerve center. It's not so much so that someone can detect a certain type of threat. It's that we know the low fidelity sort of perturbations that cause us to fire an alarm, but there's so many of those that we get desensitized. The thing that's missing is, how do I connect something that is very low threshold, to another thing that's very low threshold, and sequence those things together, and then say, you know, combined all of this is a bad thing. And one of my colleagues uses as example, you know, I go to the doctor and I say you know, "I've got this headache for a long time", and the doctor says, "Don't worry, you don't have a tumor." And it's like, "Okay, great, thank you very much," (Dave laughs) but I still have the headache >> Still have the headache. >> And so this is why even in the analytics stories we use, and even in UBA and in enterprise security, we don't use the concept of a false positive. We use the concept of confidence, and we want to raise confidence in a particular situation, which is why the analytics story concept makes sense, is because within that story, the confidence keeps raising as you go farther and farther down the chain. >> So it's a confidence, but also married, presumably through analytics, with a degree of risk, right? So I can understand whether that asset is a high value asset or John's football pool or something like that. >> John: Which is going very well right now by the way. (all laugh) Bring it on, very happy. >> Now you guys have come out with some solutions for ransomware. I tweeted out this morning that I was pleased at .conf that we're talking about analytics, analytic-driven solutions to ransomware, and not just the typical, when we go these conferences, the air gap yap. Somebody tweeted back to me, said, "Dave, until we see 100% certainty with analytics-driven solutions, we better still have air gaps." So I guess I wanted, if you guys could weigh in on what should people be thinking about in terms of ransomware, in terms of an end to end solution. Can you comment? >> I will add and... So for us, right, even to follow on the last question you had, the advancement in technology is not just algorithms, it's actually the awareness and the mindset to instrument your enterprise, and the biggest information gap in an incident response is, I don't have the data, I don't know what happened. So I think there's lot of advancement happened. We did a war game, you know, tabletop exercise, that was one of the biggest takeaways. Oh we better go back and instrument our enterprise, or agency, so when something does happen, we can trace back, right? So that's number one. So ransomware's the same thing. If you have instrumented your infrastructure, your applications stack, and your cloud visibility, you can actually detect some of the anomalies early. It's never going to solve 100%. So security is all about layered defense, right. Adapting and adding more layers, because nobody is really claiming I can be 100%, so you just want to put different layers and hoping that as they sift through, you catch them along the way. >> I think it's a question of ecosystem, and really goes back to this notion that different people have instrumented their environments in different ways, they deploy different technologies. How much value can they get out of them? I think that's one vector. The other vector is, what is your risk threshold? Somebody may have absolutely zero tolerance for air gaps. But I would, as a research person, I would like to challenge even that premise. I've been privileged to work in certain environments, and there are some people who have incredible resources, and so it's just a question of what is your adversary model that you're trying to protect yourself against, what is your business model for which you're willing to take over that risk? So I don't think there is a too high endpoint, there isn't a single solution for any of these number of things. It really just has to match with your business operation or business risk posture that you want to accommodate. >> You know what, you're almost touching on a point that I did want to hit you up on before you left, about choice, and you know, it's almost like personal, how much risk am I willing to take on? It's about customization, and providing people different tools. So how much leash do you give people? I mean do you worry that if we allow you to do too much tinkering you actually do more harm than good? But how do you factor all that in to the kind of services that you're offering? >> I think that ultimately it's up to the customer to decide what's valuable and what's critical for their business. If somebody wants a complete solution from Splunk, we're going to serve those customers. You heard a number of announcements this week from ES Content updates, to opening up the SDK, you know, with UBA, to the security essentials app releases, and all of those different kinds of capabilities. On the top end of it, we have the machine learning toolkit. If you have experts that want to tinker and learn something more, and want to exert their own intuition and energy on a compute problem, we want to provide those capabilities. So it's not about us, it's about the ability for our customers to exert what is important to them, and get a significant advantage in the marketplace for their business. >> I think it's important to point out too for our audience, it's not just a technology problem. The security regimes in organizations for years has fallen on IT and security practitioners, and we wrote a piece several years ago on Wikibon Research, that bad user behavior is going to trump good security every time. And so it's everybody's responsibility. I mean it sounds like a bromide, but it's so true, and it's really part of the complete solution. You know, I mean, I presume you agree. >> Totally. Going back to the CISO Advisory Board, one of the challenges they pointed out is user accountability. That's one of the CISO's biggest challenges. It's not just technology. It's how can they train the users and make them responsible and somehow hold them accountable. I thought that was a really very interesting insight we didn't talk about before. >> Yeah, you don't want to hear my bad, but unfortunately you do. Well, we were kind of kidding before we got started, we said, "We've got an hour to chat." It seems like it was just a matter of minutes and so thank you for taking time. We could talk an hour, I think. >> Monzy: Oh easy. >> Fascinating subject. And we thank you both for your time here today, and great show. >> [Haiyan And Monzy] Thank you for having us. >> Haiyan: It's always a pleasure to be here. >> You bet, all right, thank you Haiyan and Monzy. Back with more of theCUBE here covering .conf2017 live in Washington DC.

>> Announcer: Live from Washington D. C., it's the CUBE. Covering .conf2017. Brought to you by Splunk. (electronic music) >> Welcome back to the nation's capitol everybody. This is the CUBE, the leader in live tech coverage. And we're here at day two covering Splunk's .conf user conference #splunkconf17, and my name is Dave Vellante, I'm here with with co-host, George Gilbert. As I say, this is day two. We just came off the keynotes. I'm over product orientation today. George, what I'd like to do is summarize the day and the quarter that we've had so far, and then bring you into the conversation and get your opinion on what you heard. You were at the analyst event yesterday. I've been sitting in keynotes. We've been interviewing folks all day long. So let me start, Splunk is all about machine data. They ingest machine data, they analyze machine data for a number of purposes. The two primary use cases that we've heard this week are really IT, what I would call operations management. Understanding the behavior of your systems. What's potentially going wrong, what needs to be remediated. to avoid an outage or remediate an outage. And of course the second major use case that we've heard here is security. Some of the Wall Street guys, I've read some of the work this morning. Particularly Barclays came out with a research note. They had concerns about that, and I really don't know what the concerns are. We're going to talk about it. I presume it's that they're looking for a TAM expansion strategy to support a ten billion dollar valuation, and potentially a much higher valuation. It's worth noting the conference this year is 7,000 attendees, up from 5,000 last year. That's a 40% increase, growing at, or above actually, the pace of revenue growth at Splunk. Pricing remains a concern for some of the users that I've talked to. And I want to talk to you about that. And then of course, there's a lot of product updates that I want to get into. Splunk Enterprise 7.0 which is really Splunk's core analytics platform ITSI which is what I would, their 3.0, which I would call their ITOM platform. UBA which is user behavior analytics 4.0. Updates to Splunk Cloud, which is a service for machine data in the cloud. We've heard about machine learning across the portfolio, really to address alert fatigue. And a new metrics engine called Mstats. And of course we heard today, enterprise content security updates and many several security-oriented solutions throughout the week on fraud detection, ransomware, they've got a deal with Booz Allen Hamilton on Cyber4Sight which is security as a service that involves human intelligence. And a lot of ecosystem partnerships. AWS, DellEMC was on yesterday, Atlassian, Gigamon, et cetera, growing out the ecosystem. That's a quick rundown, George. I want to start with the pricing. I was talking to some users last night before the party. You know, "What do you like about Splunk? "What don't you like about Splunk? "Are you a customer?" I talked to one prospective customer said, "Wow, I've been trying to do "this stuff on my own for years. "I can't wait to get my hands on this." Existing customers, though, only one complaint that I heard was your price is to high, essentially is what they were telling Splunk. Now my feeling on that, and Raymo from Barclays mentioned that in his research note this morning. Raymo Lencho, top securities analyst following software industry. And my feeling George is that historically, "Your price is too high," has never been a headwind for software companies. You look at Oracle, you look at ServiceNow, sometimes customers complain about pricing too high. Splunk, and those companies tend to do very well. What's your take on pricing as a headwind or tailwind indicator? >> Well the way, you always set up these questions in a way that makes answering them easy. Because it's a tailwind in the sense that the deal sizes feed an enterprise sales force. And you need an enterprise sales force ultimately to be pervasive in an organization. 'Cause you can't just throw up like an Amazon-style console and say, "Pick your poison and put it all together." There has to be an advisory, consultative approach to working with a customer to tell them how best to fit their portfolio. >> Right. >> And their architecture. So yes, the price helps you feed that what some people in the last era of enterprise software used to call the most expensive migratory workforce in the world., which is the sales, enterprise sales organization. >> Sure, right. >> But what's happened in the different, in the change from the last major enterprise applications, ERPCRM, and what we're getting into now, is that then the data was all generated and captured by humans. It was keyboard entry. And so there was no, the volumes of data just weren't that great. It was human, essentially business transactions. Now we're capturing data streaming off everything. And you could say Splunk was sort of like the first one out of the gate doing that. And so if you take the new types of data, customer interactions, there are about ten to a hundred customer interactions for every business transaction. Then the information coming out of the IT applications and infrastructure. It's about ten to a hundred times what the customer interactions were. >> Yeah. >> So you can't price the, Your pricing model, if it stays the same will choke you. >> So you're talking about multiple orders of magnitude >> Yes. >> Of more data. >> Yeah. >> And if you're pricing by the terabyte, >> Right. >> Then that's going to cross your customers. >> Right. But here's what I would argue though George. I mean, and you mentioned AWS. AWS is another one where complaints of high pricing. But if, to me, if the company is adding value, the clients will pay for it. And when you get to the point where it becomes a potential headwind, the company, Oracle is a classic at this, will always adjust its pricing to accommodate both its needs as a public organization and a company that has to make money and fund R & D, and the customers needs, and find that balance where the competition can't get in. And so it seems to me, and we heard this from Doug Merritt yesterday, that his challenge is staying ahead of the game. Staying, moving faster than the cloud guys. >> Yeah. >> In what they do well. And to the extent that they do that, I feel like their customers will reward them with their loyalty. And so I feel as though they can adjust their pricing mechanisms. Yeah, everybody's worried about 606, and of course the conversions to subscriptions. I feel as though a high growth, and adjustments to your pricing strategy, I think can address that. What do you think about that? >> It's... It sounds like one of those sayings where, the friends say, "Well it works in practice, "but does it work in theory?" >> No, no. But it has worked in practice in the industry hasn't it? So what's different now? >> Okay. So take Oracle, at list price for Oracle 12C, flagship database. The price per processor core, with all the features thrown in, is something like three hundred thousand, three hundred fifty thousand per core. So you take an average Intel high end server chip, that might have 24 cores, and then you have two sockets, so essentially one node server is 48 times 350. And then of course, Oracle will say, "But for a large customer, we'll knock 90% off that," or something like that. >> Yeah, well exactly. >> Which is exactly what the Splunk guys told me yesterday. But it's-- >> But that's what I'm saying. They'll do what they have to do to maintain the footprint in the customer, do right by the customer, and keep the competition out. >> But if it's multiple orders of magnitude different. If you take the open source guys where essentially the software's free and you're just paying for maintenance. >> (laughs) Yeah and humans. >> Yeah, yeah. >> Okay, that's the other advantage of Splunk, as you pointed out yesterday, they've got a much more integrated set of offerings and services that dramatically lower. I mean, we all know the biggest cost of IT is people. It's not the hardware and software but, all right, I don't want to rat hole on pricing, but that was a good discussion. What did you learn yesterday? You've sat through the analyst meeting. Give us the rundown on George Gilbert's analysis of .conf generally and Splunk as a company specifically. >> Okay, so for me it was a bit of an eye opener because I got to understand sort of, I've always had this feeling about where Splunk fits relative to the open source big data ecosystem. But now I got a sense for what their ambitions are, and what their tactical plan is. I've said for awhile, Splunk's the anti-Hadoop. You know, Hadoop is multiple, sort of dozens of animals with three zookeepers. And I mean literally. >> Yeah. >> And the upside of that is, those individual projects are advancing with a pace of innovation that's just unheard of. The problem is the customer bears the burden of putting it all together. Splunk takes a very different approach which is, they aspire apparently to be just like Hadoop in terms of platform for modern operational analytic applications, but they start much narrower. And it gets to what Ramie's point was in that Wall Street review, where if you take at face value what they're saying, or you've listened just to the keynote, it's like, "Geez, they're in this IT operations ghetto, "in security and that's a La Brea tar pit, "and how are they ever going to climb out of that, "to something really broad?" But what they're doing is, they're not claiming loudly that they're trying to topple the giants and take on the world. They're trying to grow in their corner where they have a defensible moat. And basically the-- >> Let me interrupt you. >> Yeah. >> But to get to five billion >> Yeah. >> Or beyond, they have to have an aggressive TAM expansion strategy, kind of beyond ITOM and security, don't they? >> Right. And so that's where they start generalizing their platform. The data store they had on the platform, the original one, is kind of like a data lake in the sense that it really was sort of the same searchable type index that you would put under a sort of a primitive search engine. They added a new data store this time that handles numbers really well and really fast. That's to support the metrics so they can have richer analytics on the dashboard. Then they'll have other data stores that they add over time. And for each one, you're able to now build with their integrated tool set, more and more advanced apps. >> So you can't use a general purpose data store. You've got to use the Splunk within data. It's kind of like Work Day. >> Yeah, well except that they're adding more over time, and then they're putting their development tools over these to shield them. Now how seamlessly they can shield them remains to be seen. >> Well, but so this is where it gets interesting. >> Yeah. >> Splunk as a platform, as an application development platform on which you can build big data apps, >> Yeah. >> It's certainly, conceptually, you can see how you could use Splunk to do that right? >> And so their approaches out of the box will help you with enterprise security, user, they call it user behavior analytics, because it's a term another research firm put on it, but it's really any abnormal behavior of an entity on the network. So they can go in and not sell this fuzzy concept of a big data platform. They said, they go in and sell, to security operations center, "We make your life much, much easier. "And we make your organization safer." And they call these curated experiences. And the reason this is important is, when Hadoop sells, typically they go in, and they say, "Well, we have this data lake. "which is so much cheaper and a better way "to collect all your data than a data warehouse." These guys go in and then they'll add what more and more of these curated experiences, which is what everyone else would call applications. And then the research Wikibon's done, depth first, or rather breadth first versus depth first. Breadth first gives you the end to end visibility across on prem, across multiple clouds, down to the edge. But then, when they put security apps on it, when they put dev ops or, some future big data analytics apps as their machine learning gets richer and richer, then all of a sudden, they're not selling the platform, because that's a much more time-intensive sale, and lots more of objectives, I'm sorry, objections. >> It's not only the solutions, those depth solutions. >> Yes, and then all of a sudden, the customer wakes up and he's got a dozen of these things, and all of a sudden this is a platform. >> Well, ServiceNow is similar in that it's a platform. And when Fred Luddy first came out with it, it's like, "Here." And everybody said, "Well, what do I do with it?" So he went back and wrote a IT service management app. And they said, "Oh okay, we get it." Splunk in a similar way has these depth apps, and as you say, they're not selling the platform, because they say, "Hey, you want to buy a platform?" people don't want to buy a platform, they want to buy a solution. >> Right. >> Having said that, that platform is intrinsic to their solutions when they deliver it. It's there for them to leverage. So the question is, do they have an application developer kit strategy, if you will. >> Yeah. >> Whether it's low code or even high code. >> Yeah. >> Where, and where they're cultivating a developer community. Is there anything like that going on here at .conf? >> Yeah, they're not making a big deal about the development tools, 'cause that makes it sound more like a platform. >> (laughs) But they could! >> But they could. And the tools, you know, so that you can build a user interface, you can build dashboards, you can build machine learning models. The reason those tools are simpler and more accessible to developers, is because they were designed to fit the pieces underneath, the foundation. Whereas if you look at some of the open source big data ecosystem, they've got these notebooks and other tools where you address one back end this way, another back end that way. It's sort of, you know, you can see how Frankenstein was stitched together, you know? >> Yeah so, I mean to your point, we saw fraud detection, we saw ransomware, we see this partnership with Booz Allen Hamilton on Cyber4Sight. We heard today about project Waytono, which is unified monitoring and troubleshooting. And so they have very specific solutions that they're delivering, that presumably many of them are for pay. And so, and bringing ML across the platform, which now open up a whole ton of opportunities. So the question is, are these incremental, defend the base and then grow the core solutions, or are they radical innovations in your view? >> I think they're trying to stay away from the notion of radical innovation, 'cause then that will create more pushback from organizations. So they started out with a google-search-like product for log analytics. And you can see that as their aspirations grow for a broader set of applications, they add in a richer foundation. There's more machine learning algorithms now. They added that new data store. And when we talked about this with the CEO, Doug Merritt yesterday at the analyst day, he's like, "Yes, you look out three to five years, "and the platform gets more and more broad. "and at some point customers wake up "and they realize they have a new strategic platform." >> Yeah, and platforms do beat products, and even though it's hard sell, if you have a platform like Splunk does, you're in a much better strategic position. All right, we got to wrap. George thanks for joining me for the intro. I know you're headed to New York City for Big Data NYC down there, which is the other coverage that we have this week. So thank you again for coming on. >> Okay. >> All right, keep it right there. We'll be back with our next guest, we're live. This is the CUBE from Splunk .conf2017 in the nation's capitol, be right back. (electronic music)