>>The Cube presents Ignite 22, brought to you by Palo Alto Networks. >>Welcome back to Vegas. Guys. We're happy that you're here. Lisa Martin here covering with Dave Valante, Palo Alto Networks Ignite 22. We're at MGM Grand. This is our first day, Dave of two days of cube coverage. We've been having great conversations with the ecosystem with Palo Alto executives, with partners. One of the things that they have is unit 42. We're gonna be talking with them next about cyber intelligence. And the threat data that they get is >>Incredible. Yeah. They have all the data, they know what's going on, and of course things are changing. The state of play changes. Hold on a second. I got a text here. Oh, my Netflix account was frozen. Should I click on this link? Yeah. What do you think? Have you had a, it's, have you had a little bit more of that this holiday season? Yeah, definitely. >>Unbelievable, right? A lot of smishing going on. >>Yeah, they're very clever. >>Yeah, we're very pleased to welcome back one of our alumni to the queue. Wendy Whitmore is here, the SVP of Unit 42. Welcome back, Wendy. Great to have >>You. Thanks Lisa. So >>Unit 42 created back in 2014. One of the things that I saw that you said in your keynote this morning or today was everything old is still around and it's co, it's way more prolific than ever. What are some of the things that Unit 42 is seeing these days with, with respect to cyber threats as the landscape has changed so much the last two years alone? >>You know, it, it has. So it's really interesting. I've been responding to these breaches for over two decades now, and I can tell you that there are a lot of new and novel techniques. I love that you already highlighted Smishing, right? In the opening gate. Right. Because that is something that a year ago, no one knew what that word was. I mean, we, it's probably gonna be invented this year, right? But that said, so many of the tactics that we have previously seen, when it comes to just general espionage techniques, right? Data act filtration, intellectual property theft, those are going on now more than ever. And you're not hearing about them as much in the news because there are so many other things, right? We're under the landscape of a major war going on between Russia and Ukraine of ransomware attacks, you know, occurring on a weekly basis. And so we keep hearing about those, but ultimately these nations aid actors are using that top cover, if you will, as a great distraction. It's almost like a perfect storm for them to continue conducting so much cyber espionage work that like we may not be feeling that today, but years down the road, they're, the work that they're doing today is gonna have really significant impact. >>Ransomware has become a household word in the last couple of years. I think even my mom knows what it is, to some degree. Yeah. But the threat actors are far more sophisticated than they've ever written. They're very motivated. They're very well funded. I think I've read a stat recently in the last year that there's a ransomware attack once every 11 seconds. And of course we only hear about the big ones. But that is a concern that goes all the way up to the board. >>Yeah. You know, we have a stat in our ransomware threat report that talks about how often victims are posted on leak sites. And I think it's once every seven minutes at this point that a new victim is posted. Meaning a victim has had their data, a victim organization had their data stolen and posted on some leak site in the attempt to be extorted. So that has become so common. One of the shifts that we've seen this year in particular and in recent months, you know, a year ago when I was at Ignite, which was virtual, we talked about quadruple extortion, meaning four different ways that these ransomware actors would go out and try to make money from these attacks in what they're doing now is often going to just one, which is, I don't even wanna bother with encrypting your data now, because that means that in order to get paid, I probably have to decrypt it. Right? That's a lot of work. It's time consuming. It's kind of painstaking. And so what they've really looked to do now is do the extortion where they simply steal the data and then threaten to post it on these leak sites, you know, release it other parts of the web and, and go from there. And so that's really a blending of these techniques of traditional cyber espionage with intellectual property theft. Wow. >>How trustworthy are those guys in terms of, I mean, these are hackers, right? In terms of it's really the, the hacker honor system, isn't it? I mean, if you get compromised like that, you really beholden to criminals. And so, you >>Know, so that's one of the key reasons why having the threat intelligence is so important, right? Understanding which group that you're dealing with and what their likelihood of paying is, what's their modus operandi. It's become even more important now because these groups switch teams more frequently than NFL trades, you know, free agents during the regular season, right? Or players become free agents. And that's because their infrastructure. So the, you know, infrastructure, the servers, the systems that they're using to conduct these attacks from is actually largely being disrupted more from law enforcement, international intelligence agencies working together with public private partnerships. So what they're doing is saying, okay, great. All that infrastructure that I just had now is, is burned, right? It's no longer effective. So then they'll disband a team and then they'll recruit a new team and it's constant like mixing and matching in players. >>All that said, even though that's highly dynamic, one of the other areas that they pride themselves on is customer service. So, and I think it's interesting because, you know, when I said they're not wanting to like do all the decryption? Yeah. Cuz that's like painful techni technical slow work. But on the customer service side, they will create these customer service portals immediately stand one up, say, you know, hey it's, it's like an Amazon, you know, if you've ever had to return a package on Amazon for example, and you need to click through and like explain, you know, Hey, I didn't receive this package. A portal window pops up, you start talking to either a bot or a live agent on the backend. In this case they're hu what appeared to be very much humans who are explaining to you exactly what happened, what they're asking for, super pleasant, getting back within minutes of a response. And they know that in order for them to get paid, they need to have good customer service because otherwise they're not going to, you know, have a business. How, >>So what's the state of play look like from between nation states, criminals and how, how difficult or not so difficult is it for you to identify? Do you have clear signatures? My understanding in with Solar Winds it was a little harder, but maybe help us understand and help our audience understand what the state of play is right now. >>One of the interesting things that I think is occurring, and I highlighted this this morning, is this idea of convergence. And so I'll break it down for one example relates to the type of malware or tools that these attackers use. So traditionally, if we looked at a nation state actor like China or Russia, they were very, very specific and very strategic about the types of victims that they were going to go after when they had zero day. So, you know, new, new malware out there, new vulnerabilities that could be exploited only by them because the rest of the world didn't know about it. They might have one organization that they would target that at, at most, a handful and all very strategic for their objective. They wanted to keep that a secret as long as possible. Now what we're seeing actually is those same attackers going towards one, a much larger supply chain. >>So, so lorenzen is a great example of that. The Hafnia attacks towards Microsoft Exchange server last year. All great examples of that. But what they're also doing is instead of using zero days as much, or you know, because those are expensive to build, they take a lot of time, a lot of funding, a lot of patience and research. What they're doing is using commercially available tools. And so there's a tool that our team identified earlier this year called Brute Rael, C4 or BRC four for short. And that's a tool that we now know that nation state actors are using. But just two weeks ago we invested a ransomware attack where the ransomware actor was using that same piece of tooling. So to your point, yak can get difficult for defenders when you're looking through and saying, well wait, they're all using some of the same tools right now and some of the same approaches when it comes to nation states, that's great for them because they can blend into the noise and it makes it harder to identify as >>Quickly. And, and is that an example of living off the land or is that B BRC four sort of a homegrown hacker tool? Is it, is it a, is it a commercial >>Off the shelf? So it's a tool that was actually, so you can purchase it, I believe it's about 2,500 US dollars for a license. It was actually created by a former Red teamer from a couple well-known companies in the industry who then decided, well hey, I built this tool for work, I'm gonna sell this. Well great for Red teamers that are, you know, legitimately doing good work, but not great now because they're, they built a, a strong tool that has the ability to hide amongst a, a lot of protocols. It can actually hide within Slack and teams to where you can't even see the data is being exfiltrated. And so there's a lot of concern. And then now the reality that it gets into the wrong hands of nation state actors in ransomware actors, one of the really interesting things about that piece of malware is it has a setting where you can change wallpaper. And I don't know if you know offhand, you know what that means, but you know, if that comes to mind, what you would do with it. Well certainly a nation state actor is never gonna do something like that, right? But who likes to do that are ransomware actors who can go in and change the background wallpaper on a desktop that says you've been hacked by XYZ organization and let you know what's going on. So pretty interesting, obviously the developer doing some work there for different parts of the, you know, nefarious community. >>Tremendous amount of sophistication that's gone on the last couple of years alone. I was just reading that Unit 42 is now a founding member of the Cyber Threat Alliance includes now more than 35 organizations. So you guys are getting a very broad picture of today's threat landscape. How can customers actually achieve cyber resilience? Is it achievable and how do you help? >>So I, I think it is achievable. So let me kind of parse out the question, right. So the Cyber Threat Alliance, the J C D C, the Cyber Safety Review Board, which I'm a member of, right? I think one of the really cool things about Palo Alto Networks is just our partnerships. So those are just a handful. We've got partnerships with over 200 organizations. We work closely with the Ukrainian cert, for example, sharing information, incredible information about like what's going on in the war, sharing technical details. We do that with Interpol on a daily basis where, you know, we're sharing information. Just last week the Africa cyber surge operation was announced where millions of nodes were taken down that were part of these larger, you know, system of C2 channels that attackers are using to conduct exploits and attacks throughout the world. So super exciting in that regard and it's something that we're really passionate about at Palo Alto Networks in terms of resilience, a few things, you know, one is visibility, so really having a, an understanding of in a real, as much of real time as possible, right? What's happening. And then it goes into how you, how can we decrease operational impact. So that's everything from network segmentation to wanna add the terms and phrases I like to use a lot is the win is really increasing the time it takes for the attackers to get their work done and decreasing the amount of time it takes for the defenders to get their work done, right? >>Yeah. I I call it increasing the denominator, right? And the ROI equation benefit over or value, right? Equals equals or benefit equals value over cost if you can increase the cost to go go elsewhere, right? Absolutely. And that's the, that's the game. Yeah. You mentioned Ukraine before, what have we learned from Ukraine? I, I remember I was talking to Robert Gates years ago, 2016 I think, and I was asking him, yeah, but don't we have the best cyber technology? Can't we attack? He said, we got the most to lose too. Yeah. And so what have we learned from, from Ukraine? >>Well, I, I think that's part of the key point there, right? Is you know, a great offense essentially can also be for us, you know, deterrent. So in that aspect we have as an, as a company and or excuse me, as a country, as a company as well, but then as partners throughout all parts of the world have really focused on increasing the intelligence sharing and specifically, you know, I mentioned Ukrainian cert. There are so many different agencies and other sorts throughout the world that are doing everything they can to share information to help protect human life there. And so what we've really been concerned with, with is, you know, what cyber warfare elements are going to be used there, not only how does that impact Ukraine, but how does it potentially spread out to other parts of the world critical infrastructure. So you've seen that, you know, I mentioned CS rrb, but cisa, right? >>CISA has done a tremendous job of continuously getting out information and doing everything they can to make sure that we are collaborating at a commercial level. You know, we are sharing information and intelligence more than ever before. So partners like Mania and CrowdStrike, our Intel teams are working together on a daily basis to make sure that we're able to protect not only our clients, but certainly if we've got any information relevant that we can share that as well. And I think if there's any silver lining to an otherwise very awful situation, I think the fact that is has accelerated intelligence sharing is really positive. >>I was gonna ask you about this cause I think, you know, 10 or so years ago, there was a lot of talk about that, but the industry, you know, kind of kept things to themselves, you know, a a actually tried to monetize some of that private data. So that's changing is what I'm hearing from you >>More so than ever more, you know, I've, I mentioned I've been in the field for 20 years. You know, it, it's tough when you have a commercial business that relies on, you know, information to, in order to pay people's salaries, right? I think that has changed quite a lot. We see the benefit of just that continuous sharing. There are, you know, so many more walls broken down between these commercial competitors, but also the work on the public private partnership side has really increased some of those relationships. Made it easier. And you know, I have to give a whole lot of credit and mention sisa, like the fact that during log four J, like they had GitHub repositories, they were using Slack, they were using Twitter. So the government has really started pushing forward with a lot of the newer leadership that's in place to say, Hey, we're gonna use tools and technology that works to share and disseminate information as quickly as we can. Right? That's fantastic. That's helping everybody. >>We knew that every industry, no, nobody's spared of this. But did you notice in the last couple of years, any industries in particular that are more vulnerable? Like I think of healthcare with personal health information or financial services, any industries kind of jump out as being more susceptible than others? >>So I think those two are always gonna be at the forefront, right? Financial services and healthcare. But what's been really top of mind is critical infrastructure, just making sure right? That our water, our power, our fuel, so many other parts of right, the ecosystem that go into making sure that, you know, we're keeping, you know, houses heated during the winter, for example, that people have fresh water. Those are extremely critical. And so that is really a massive area of focus for the industry right now. >>Can I come back to public-private partnerships? My question is relates to regulations because the public policy tends to be behind tech, the technology industry as an understatement. So when you take something like GDPR is the obvious example, but there are many, many others, data sovereignty, you can't move the data. Are are, are, is there tension between your desire as our desire as an industry to share data and government's desire to keep data private and restrict that data sharing? How is that playing out? How do you resolve that? >>Well I think there have been great strides right in each of those areas. So in terms of regulation when it comes to breaches there, you know, has been a tendency in the past to do victim shaming, right? And for organizations to not want to come forward because they're concerned about the monetary funds, right? I think there's been tremendous acceleration. You're seeing that everywhere from the fbi, from cisa, to really working very closely with organizations to, to have a true impact. So one example would be a ransomware attack that occurred. This was for a client of ours within the United States and we had a very close relationship with the FBI at that local field office and made a phone call. This was 7:00 AM Eastern time. And this was an organization that had this breach gone public, would've made worldwide news. There would've been a very big impact because it would've taken a lot of their systems offline. >>Within the 30 minutes that local FBI office was on site said, we just saw this piece of malware last week, we have a decryptor for it from another organization who shared it with us. Here you go. And within 60 minutes, every system was back up and running. Our teams were able to respond and get that disseminated quickly. So efforts like that, I think the government has made a tremendous amount of headway into improving relationships. Is there always gonna be some tension between, you know, competing, you know, organizations? Sure. But I think that we're doing a whole lot to progress it, >>But governments will make exceptions in that case. Especially for something as critical as the example that you just gave and be able to, you know, do a reach around, if you will, on, on onerous regulations that, that ne aren't helpful in that situation, but certainly do a lot of good in terms of protecting privacy. >>Well, and I think there used to be exceptions made typically only for national security elements, right? And now you're seeing that expanding much more so, which I think is also positive. Right. >>Last question for you as we are wrapping up time here. What can organizations really do to stay ahead of the curve when it comes to, to threat actors? We've got internal external threats. What can they really do to just be ahead of that curve? Is that possible? >>Well, it is now, it's not an easy task so I'm not gonna, you know, trivialize it. But I think that one, having relationships with right organizations in advance always a good thing. That's a, everything from certainly a commercial relationships, but also your peers, right? There's all kinds of fantastic industry spec specific information sharing organizations. I think the biggest thing that impacts is having education across your executive team and testing regularly, right? Having a plan in place, testing it. And it's not just the security pieces of it, right? As security responders, we live these attacks every day, but it's making sure that your general counsel and your head of operations and your CEO knows what to do. Your board of directors, do they know what to do when they receive a phone call from Bloomberg, for example? Are they supposed supposed to answer? Do your employees know that those kind of communications in advance and training can be really critical and make or break a difference in an attack. >>That's a great point about the testing but also the communication that it really needs to be company wide. Everyone at every level needs to know how to react. Wendy, it's been so great having, >>Wait one last question. Sure. Do you have a favorite superhero growing up? >>Ooh, it's gotta be Wonder Woman. Yeah, >>Yeah, okay. Yeah, so cuz I'm always curious, there's not a lot of women in, in security in cyber. How'd you get into it? And many cyber pros like wanna save the world? >>Yeah, no, that's a great question. So I joined the Air Force, you know, I, I was a special agent doing computer crime investigations and that was a great job. And I learned about that from, we had an alumni day and all these alumni came in from the university and they were in flight suits and combat gear. And there was one woman who had long blonde flowing hair and a black suit and high heels and she was carrying a gun. What did she do? Because that's what I wanted do. >>Awesome. Love it. We >>Blonde >>Wonder Woman. >>Exactly. Wonder Woman. Wendy, it's been so great having you on the program. We, we will definitely be following unit 42 and all the great stuff that you guys are doing. Keep up the good >>Work. Thanks so much Lisa. Thank >>You. Day our pleasure. For our guest and Dave Valante, I'm Lisa Martin, live in Las Vegas at MGM Grand for Palo Alto Ignite, 22. You're watching the Cube, the leader in live enterprise and emerging tech coverage.

(upbeat music) >> Okay, we're back to wrap up Fal.con 2022 CrowdStrike's customer event. You're watching theCUBE. My name is Dave Vellante. My co-host, Dave Nicholson, is on injured reserve today, so I'm solo. But I wanted to just give the audience a census to some of my quick takeaways. Really haven't given a ton of thought on this. We'll do review after we check out the videos and the transcripts, and do what we do at SiliconANGLE and theCUBE. I'd say the first thing is, look CrowdStrike continues to expand it's footprint. And, it's adding the identity module, through the preempt acquisition. Working very closely with managed service providers, MSPs, managed security service providers. Having an SMB play. So CrowdStrike has 20,000 customers. I think it could, it could 10X that, you know, over some period of time. As I've said earlier, it's on a path by mid-decade to be a 5 billion company, in terms of revenue. At the macro level, security is somewhat, I'd say it's less discretionary than some other investments. You know, you can, you can probably hold off buying a new storage device. You can maybe clean that up. You know, you might be able to hold off on some of your analytics, but at the end of the day, security is not completely non-discretionary. It's competing. The CISO is competing with other budgets. Okay? So it's, while it's less discretionary, it is still, you know, not an open checkbook for the CISO. Now, having said that, from CrowdStrike standpoint it has an excellent opportunity to consolidate tools. It's one of the biggest problems in the security business Go to Optiv and check out their security taxonomy. It'll make your eyes bleed. There's so many tools and companies that are really focused on one specialization. But really, what CrowdStrike can do with its 22 modules, to say, hey, we can give you ROI and consolidate those. And not only is it risk reduction, it's lowering the labor cost and labor intensity, so you can focus on other areas and free up the biggest problem that CISOs have. It's the lack of enough talent. So, really strong business value and value proposition. A lot of that is enabled by the architecture. We've talked about this. You can check out my breaking analysis that I dropped last weekend, on CrowdStrike. And, you know, can it become a generational company. But it's really built on a cloud-native architecture. George Kurtz and company, they shunned having an on-premise architecture. Much like Snowflake Frank Slootman has said, we're not doing a halfway house. We're going to put all our resources on a cloud-native architecture. The lightweight agent that allows them to add new modules and collect more data, and scale out. The purpose-built threat graph and and time series database, and asset graph that they've built. And very strong use of AI, to not only stop known malware, but stop unknown malware. Identify threats. Do that curation. And really, you know, support the SecOp teams. Product wise, I think the big three takeaways, and there were others, but the big three for me is EDR extending into XDR. You know, X is the extending for, in really, the core of endpoint detection and response, extending that further. Well, it seems to be a big buzzword these days. CrowdStrike, I think, is very focused on making a more complete, a holistic offering, beyond endpoint. And I think it's going to do very well in that space. They're not alone. There are others. It's a very competitive space. The second is identity. Through the acquisition of Preempt. CrowdStrike building that identity module. Partnering with leaders like Okta, to really provide that sort of, treating identity, if you will, as an endpoint. And then sort of Humio is now Falcon Log Scale. Bringing together, you know, the data and the observability piece, and the security piece, is kind of the three big product trends that I saw. I think the last point I'll make, before we wrap, is the ecosystem. The ecosystem here is good. It reminds me, I said, a number of times this week, of ServiceNow in 2013 I think the difference is, CrowdStrike has an SMB play it can go after many more customers, and actually have an even broader platform. And I think it can accelerate its ecosystem faster than ServiceNow was able to do that. I mean, it's got to be, sort of, an open and collaborative sort of ecosystem. You know, ServiceNow is kind of, more of, a one-way street. And I think the other piece of that ecosystem, that we see evolving, into IOT, into the operations technology and critical infrastructure. Which is so important, because critical infrastructure of nations is so vulnerable. We're seeing this in the Ukraine. Security is a key component now of any warfare. And going forward, it's always going to be a key component. Nation states are going to go after trust, or secure infrastructure, or critical infrastructure. Try to disable that and disrupt that. So securing those operation assets is going to be very critical. Not just the refrigerator and the coffee maker, but really going after those critical infrastructures. (chuckles) Getting asked to break. And the last thing I'll say, is the developer platform. We heard from ML that, the opportunity that's there, to build out a PaaS layer, super PaaS layer, if you will, so that developers can add value. I think if that happens, this ecosystem, which is breaking down, will explode. This is Dave Vellante, wrapping up at CrowdStrike, Fal.con 2022, Fal.con 2022. Go to SiliconAngle.com, for all the news. Check out theCUBE.net. You'll see these videos on demand and many others. Check out (indistinct).com for all the research. And look for where we'll be next. Of course, re:Invent is the big fall event, but there are many others in between. Thanks for watching. We're out. (music plays out)

>>The cube presents, Coon and cloud native con Europe 22, brought to you by the cloud native computing foundation. >>Welcome to Valencia Spain and con cloud native con 20 Europe, 2022. I'm your host, Keith Townson alongside a new host en Rico senior reti, senior editor. I'm sorry, senior it analyst at giong Enrique. Welcome to the program. >>Thank you very much. And thank you for having me. It's exciting. >>So thoughts, high level thoughts of CU con first time in person again in couple years? >>Well, this is amazing for several reasons. And one of the reasons is that yeah, I had the chance to meet, uh, with, uh, you know, people like you again. I mean, we, we met several times over the internet, over zoom codes. I, I started to eat these zoom codes. <laugh> because they're very impersonal in the end. And like last night we, we are together group of friends, industry folks. It's just amazing. And a part of that, I mean, the event is, uh, is a really cool, it's really cool. There are a lot from people interviews and, you know, real people doing real stuff, not just, uh, you know, again, in personal calls, you don't even know if they're telling the truth, but when you can, you know, look in their eyes, what they're doing, I, I think that's makes a difference. >>So speaking about real people, meeting people for the first time, new jobs, new roles, Greg Moscarella enterprise container management in general manager at SUSE, welcome to the show, welcome back clue belong. >>Thank you very much. It's awesome to be here. It's awesome to be back in person. And I completely agree with you. Like there's a certain fidelity to the conversation and a certain, uh, ability to get to know people a lot more. So it's absolutely fantastic to be here. >>So Greg, tell us about your new role and what SUSE has gone on at KU con. >>Sure. So I joined SA about three months ago to lead the rancher business unit, right? So our container management pieces and, you know, it's a, it's a fantastic time. Cause if you look at the transition from virtual machines to containers and to moving to micro services, right alongside that transition from on-prem to cloud, like this is a very exciting time to be in this industry and rancher's been setting the stage. And again, I'm go back to being here. Rancher's all about the community, right? So this is a very open, independent, uh, community driven product and project. And so this, this is kinda like being back to our people, right. And being able to reconnect here. And so, you know, doing it, digital is great, but, but being here is changes the game for us. So we, we feed off that community. We feed off the energy. So, uh, and again, going back to the space and what's happening in it, great time to be in this space. And you guys have seen the transitions you've seen, I mean, we've seen just massive adoption, uh, of containers and Kubernetes overall, and rancher has been been right there with some amazing companies doing really interesting things that I'd never thought of before. Uh, so I'm, I'm still learning on this, but, um, but it's been great so far. >>Yeah. And you know, when we talk about strategy about Kubernetes today, we are talking about very broad strategies. I mean, not just the data center or the cloud with, you know, maybe smaller organization adopting Kubernetes in the cloud, but actually large organization thinking guide and more and more the edge. So what's your opinion on this, you know, expansion of Kubernetes towards the edge. >>So I think you're, I think you're exactly right. And that's actually a lot of meetings I've been having here right now is these are some of these interesting use cases. So people who, uh, whether it be, you know, ones that are easy to understand in the telco space, right? Especially the adoption of 5g and you have all these base stations, new towers, and they have not only the core radio functions or network functions that they're trying to do there, but they have other applications that wanna run on that same environment, uh, spoke recently with some of our, our good friends at a major automotive manufacturer, doing things in their factories, right. That can't take the latency of being somewhere else. Right? So they have robots on the factory floor, the latency that they would experience if they tried to run things in the cloud meant that robot would've moved 10 centimeters. >>By the time, you know, the signal got back, it may not seem like a lot to you, but if, if, if you're an employee, you know, there, you know, uh, a big 2000 pound robot being 10 centimeters closer to you may not be what you, you really want. Um, there's, there's just a tremendous amount of activity happening out there on the retail side as well. So it's, it's amazing how people are deploying containers in retail outlets. You know, whether it be fast food and predicting, what, what, how many French fries you need to have going at this time of day with this sort of weather. Right. So you can make sure those queues are actually moving through. It's, it's, it's really exciting and interesting to look at all the different applications that are happening. So yes, on the edge for sure, in the public cloud, for sure. In the data center and we're finding is people want to common platform across those as well. Right? So for the management piece too, but also for security and for policies around these things. So, uh, it really is going everywhere. >>So talk to me, how do, how are we managing that as we think about pushing stuff out of the data center, out of the cloud cloud, closer to the edge security and life cycle management becomes like top of mind thought as, as challenges, how is rancher and sushi addressing >>That? Yeah. So I, I think you're, again, spot on. So it's, it starts off with the think of it as simple, but it's, it's not simple. It's the provisioning piece. How do we just get it installed and running right then to what you just asked the management piece of it, everything from your firmware to your operating system, to the, the cluster, uh, the Kubernetes cluster, that's running on that. And then the workloads on top of that. So with rancher, uh, and with the rest of SUSE, we're actually tacking all those parts of the problems from bare metal on up. Uh, and so we have lots of ways for deploying that operating system. We have operating systems that are, uh, optimized for the edge, very secure and ephemeral container images that you can build on top of. And then we have rancher itself, which is not only managing your Kubernetes cluster, but can actually start to manage the operating system components, uh, as well as the workload components. >>So all from your single interface, um, we mentioned policy and security. So we, yeah, we'll probably talk about it more, um, uh, in a little bit, but, but new vector, right? So we acquired a company called new vector, just open sourced, uh, that here in January, that ability to run that level of, of security software everywhere again, is really important. Right? So again, whether I'm running it on, whatever my favorite public cloud providers, uh, managed Kubernetes is, or out at the edge, you still have to have security, you know, in there. And, and you want some consistency across that. If you have to have a different platform for each of your environments, that's just upping the complexity and the opportunity for error. So we really like to eliminate that and simplify our operators and developers lives as much as possible. >>Yeah. From this point of view, are you implying that even you, you are matching, you know, self, uh, let's say managed clusters at the, at the very edge now with, with, you know, added security, because these are the two big problems lately, you know, so having something that is autonomous somehow easier to manage, especially if you are deploying hundreds of these that's micro clusters. And on the other hand, you need to know a policy based security that is strong enough to be sure again, if you have these huge robots moving too close to you, because somebody act the class that is managing them, that could be a huge problem. So are you, you know, approaching this kind of problems? I mean, is it, uh, the technology that you are acquired, you know, ready to, to do this? >>Yeah. I, I mean, it, it really is. I mean, there's still a lot of innovation happening. Don't, don't get me wrong. We're gonna see a lot of, a lot more, not just from, from SA and rancher, but from the community, right. There's a lot happening there, but we've come a long way and we've solved a lot of problems. Uh, if I think about, you know, how do you have this distributed environment? Uh, well, some of it comes down to not just, you know, all the different environments, but it's also the applications, you know, with microservices, you have very dynamic environment now just with your application space as well. So when we think about security, we really have to evolve from a fairly static policy where like, you might even be able to set an IP address in a port and some configuration on that. It's like, well, your workload's now dynamically moving. >>So not only do you have to have that security capability, like the ability to like, look at a process or look at a network connection and stop it, you have to have that, uh, manageability, right? You can't expect an operator or someone to like go in and manually configure a YAML file, right? Because things are changing too fast. It needs to be that combination of convenient, easy to manage with full function and ability to protect your, your, uh, your resources. And I think that's really one of the key things that new vector really brings is because we have so much intelligence about what's going on there. Like the configuration is pretty high level, and then it just runs, right? So it's used to this dynamic environment. It can actually protect your workloads wherever it's going from pod to pod. Uh, and it's that, that combination, again, that manageability with that high functionality, um, that, that is what's making it so popular. And what brings that security to those edge locations or cloud locations or your data center >>Mm-hmm <affirmative> so one of the challenges you're kind of, uh, touching on is this abstraction on upon abstraction. When I, I ran my data center, I could put, uh, say this IP address, can't talk to this IP address on this port. Then I got next generation firewalls where I could actually do, uh, some analysis. Where are you seeing the ball moving to when it comes to customers, thinking about all these layers of abstraction I IP address doesn't mean anything anymore in cloud native it's yes, I need one, but I'm not, I'm not protecting based on IP address. How are customers approaching security from the name space perspective? >>Well, so it's, you're absolutely right. In fact, even when you go to I P six, like, I don't even recognize IP addresses anymore. <laugh> >>Yeah. Doesn't mean anything like, oh, just a bunch of, yes, those are numbers, ER, >>And colons. Right. You know, it's like, I don't even know anymore. Right. So, um, yeah, so it's, it comes back to that, moving from a static, you know, it's the pets versus cattle thing. Right? So this static thing that I can sort of know and, and love and touch and kind of protect to this almost living, breathing thing, which is moving all around, it's a swarm of, you know, pods moving all over the place. And so, uh, it, it is, I mean, that's what Kubernetes has done for the workload side of it is like, how do you get away from, from that, that pet to a declarative approach to, you know, identifying your workload and the components of that workload and what it should be doing. And so if we go on the security side some more like, yeah, it's actually not even namespace namespace. >>Isn't good enough. We wanna get, if we wanna get to zero trust, it's like, just cuz you're running in my namespace doesn't mean I trust you. Right. So, and that's one of the really cool things about new vectors because of the, you know, we're looking at protocol level stuff within the network. So it's pod to pod, every single connection we can look at and it's at the protocol layer. So if you say you're on my database and I have a mye request going into it, I can confirm that that's actually a mye protocol being spoken and it's well formed. Right. And I know that this endpoint, you know, which is a, uh, container image or a pod name or some, or a label, even if it's in the same name, space is allowed to talk to and use this protocol to this other pod that's running in my same name space. >>Right. So I can either allow or deny. And if I can, I can look into the content that request and make sure it's well formed. So I'll give you an example is, um, do you guys remember the log four J challenges from not too long ago, right. Was, was a huge deal. So if I'm doing something that's IP and port based and name space based, so what are my protections? What are my options for something that's got log four J embedded in like I either run the risk of it running or I shut it down. Those are my options. Like those neither one of those are very good. So we can do, because again, we're at the protocol layers like, ah, I can identify any log for J protocol. I can look at whether it's well formed, you know, or if it's malicious, if it's malicious, I can block it. If it's well formed, I can let it go through. So I can actually look at those, those, um, those vulnerabilities. I don't have to take my service down. I can run and still be protected. And so that, that extra level, that ability to kind of peek into things and also go pod to pod, you know, not just name space level is one of the key differences. So I talk about the evolution or how we're evolving with, um, with the security. Like we've grown a lot, we've got a lot more coming. >>So let's talk about that a lot more coming what's in the pipeline for SUSE. >>Well, how, before I get to that, we just announced new vector five. So maybe I can catch us up on what was released last week. Uh, and then we can talk a little bit about going, going forward. So new vector five, introduce something called um, well, several things, but one of the things I can talk in more detail about is something called zero drift. So I've been talking about the network security, but we also have run time security, right? So any, any container that's running within your environment has processes that are running that container. What we can do is actually comes back to that manageability and configuration. We can look at the root level of trust of any process that's running. And as long as it has an inheritance, we can let that process run without any extra configuration. If it doesn't have a root level of trust, like it didn't spawn from whatever the, a knit, um, function was and that container we're not gonna let it run. Uh, so the, the configuration that you have to put in there is, is a lot simpler. Um, so that's something that's in, in new vector five, um, the web application firewall. So this layer seven security inspection has gotten a lot more granular now. So it's that pod Topo security, um, both for ingress egress and internal on the cluster. Right. >>So before we get to what's in the pipeline, one question around new vector, how is that consumed and deployed? >>How is new vector consumed, >>Deployed? And yeah, >>Yeah, yeah. So, uh, again with new vector five and, and also rancher 2 65, which just were released, there's actually some nice integration between them. So if I'm a rancher customer and I'm using 2 65, I can actually just deploy that new vector with a couple clicks of the button in our, uh, in our marketplace. And we're actually tied into our role-based access control. So an administrator who has that has the rights can just click they're now in a new vector interface and they can start setting those policies and deploying those things out very easily. Of course, if you aren't using, uh, rancher, you're using some other, uh, container management platform, new vector still works. Awesome. You can deploy it there still in a few clicks. Um, you're just gonna get into, you have to log into your new vector, uh, interface and, and use it from there. >>So that's how it's deployed. It's, it's very, it's very simple to use. Um, I think what's actually really exciting about that too, is we've opensourced it? Um, so it's available for anyone to go download and try, and I would encourage people to give it a go. Uh, and I think there's some compelling reasons to do that now. Right? So we have pause security policies, you know, depreciated and going away, um, pretty soon in, in Kubernetes. And so there's a few things you might look at to make sure you're still able to run a secure environment within Kubernetes. So I think it's a great time to look at what's coming next, uh, for your security within your Kubernetes. >>So, Paul, we appreciate you stopping by from ity of Spain. I'm Keith Townsend, along with en Rico Sinte. Thank you. And you're watching the, the leader in high tech coverage.

>>Hello everyone. And welcome to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of our showcase ongoing series. We're covering very exciting startups from the AWS ecosystem. And we're going to be talking about the open source community. I'm your host, Lisa Martin. And today I'm excited to be joined by Robbie, Myra, the head of product and partner marketing at sneak. Robbie's here to talk with me about developer security for your digital transformation. Robbie, it's great to have you on the cube. >>Thanks Lisa. Nice to be here. >>So talk to me about what's going on in developer land. They're under a lot of pressure. A lot of them are building apps with open source, but what does sneak seeing from the developers lens >>From the developer's lens? There's a lot of pressure to build fast and that's probably the biggest challenge, right? We're in a world of digital transformation where everybody's trying to compete no matter what industry you're in, right on the technology and on the quality of your software or the capabilities of your software, which puts a lot of pressure on developers to build fast. That causes them to do a few things. One, it causes them to build, to develop in a way where they're doing constant iteration and so models that would have enabled a security check to come in at the end, aren't working anymore because they don't have time for those security checks. And it also causes them to do a good thing, which is to leverage other people's code when they can like open source. So they can just focus on, on their own functionality. And that's true, whether they're building new functionality or modernizing legacy applications by moving them to the cloud. >>So it's a high percentage of, of app code 80 to 90% is open source. Then that opens up. Talk to me about w where the vulnerabilities are and how you guys help customers and developers address that. >>Yeah, the vulnerabilities can be anywhere, but the key is that that point, right? If you're using open source in a typical application, 80 to 90 plus percent of the lines of code in that application are going to be open source code, their code. Somebody else wrote that you don't have a direct relationship with, and yet you own the risk that whatever they may have, whatever vulnerabilities may be in their code, you now own that risk. So what we're trying to do with sneakers, trying to do is enable developers to leverage open source, but do that securely. And then we also help them with the 10% that they rent as well, and, and do that all in one really easy environment for a developer that fits into their workflow and into their daily life. >>So security should shift left. I've had the chance to talk with a couple of, do you call them sneakers sneakers? Oh, you do a couple of sneakers recently. We've talked about security shifting lab. That's not a new concept, but I'd love to dig in more to how sneak and AWS do that. And I'm also curious if what you're doing helps. We've talked about the cybersecurity skills got for a long time. Now, just what you guys do, help address that >>It does because it's really leveraging a resource that, that is there, right? There's the number of developers worldwide is growing from, depending on who you believe for these numbers and their estimated numbers, right? But 25 million to 50 million over roughly a five-year period that's already started. So we're somewhere in the 30 now, right? Meanwhile, the security jobs, there's something like 9 million cyber security people in the world, and that's all cyber security roles. It's a much shorter, a smaller chunk that are application security folks. And there's three and a half million unfilled cybersecurity roles. So you can't get cyber security people and keep using the current model you're using. But just scale it linearly, you have to change things. And sneaks belief is the way you change things is you have the developers be part of your security solution, which means they need to have the ability to not only develop, but to develop securely. And that's our concept of developer security. We build tools and a platform that enables developers to be the first part of the security solution and enable security teams rather than individually auditing and fixing things to develop a process, govern the process, guide the development teams, but let the developers own that first step of security. And that's really how you solve that scale problem. >>When you're talking with customers, is this kind of a better together scenario, developers and security folks? Are you helping them align culturally because this is a change? >>Absolutely. I think one of the biggest misconceptions out there is that there's a tension between security and development. And I think that's because organizationally there might be right. Security is responsible for risk and developers responsible for speed of innovation and the faster you innovate, potentially there's more risk. So there might be some organizational tension, but at the human level, people understand each other, they understand the pressures that the other one's going through. They just don't have an easy way to work together. And if you can help them get that, then they, it really takes off it. The relationships form they'll build human to human programs like security champion programs and things to, to integrate the teams because they're both going after the same goal, both sides want to build awesome technology and grow in whatever market they're in. >>Right. And of course, with the need to do that at today's markets speed and scale is a great thing that you guys are doing to facilitate that collaboration. And of course the security let's kind of take a double-click now into the different integrations that sneek has with AWS services. I know there's quite a few, >>There's quite a few. The biggest one, probably the easiest one for the integrations is the native integration that we have with code pipeline. So it makes it easy for developers as they're finishing their builds and deploying to have an automatic security check that comes in, understands if there's things that need to be fixed before this really should be released, and then they can fix it and go forward. But we integrate across with our API across a lot of other services, ECR EKS code builder, so that wherever the developer is working, there's a way for us to integrate with them as they're building across their AWS development process. >>Okay. So giving them plenty of opportunity, let's dig into the platform. Talk to me about the platform, how it's really aimed at developers. You alluded to this a little bit, but I'd like to kind of take a double-click into the technology. >>Sure. That the platform, it, part of it is that idea of it we've wrapped it all as a developer tool. But the thing that makes sneak unique in this is not only we have the idea that we wanted to shift left in time, but we wanted to shift left in ownership. So the developers are primary user and we built a tool that is a developer tool that happens to do security. And we've extended that tool into a platform by enabling it to connect into the developers tools, sharing information, across different elements of what it securing. So for example, the open source that we're scanning for you and testing to find for vulnerabilities, we're also looking at the vulnerabilities in your code and where they may overlap or intersect. We can adjust priorities so that you might not need to fix something. Let's say you're using an open source, vulnerable, a package that has a vulnerability, but your code is never going to access that you don't need to fix it. >>So you can prioritize that one lower, right? Same thing with Kubernetes and containers. You may have a container vulnerability, but the way you're going to leverage the container that won't be used so we can adjust the priority to make it easy for the developer. And that's the other big thing that's different about a developer security platform than a typical security tool. A typical security tool is an audit tool it's designed to output. Here are all the things you have a problem with a developer security tool is a fixing tool. It's just defined as a, here are the problems you have developed with here's how you fix it and go back to building on that. That prioritization is a big part of that, because you can say, here's what you don't need to worry about. And then you can focus the rest of your energy on helping developers fix the problem either by giving them really good advice or automating it for them and saying, Hey, here's a button click that will generate a pull request. And your problem is this fixed. >>It must go a long way to improving developer productivity, one facilitating that speed and the agility with which they need to work, but also from a developer kind of crowd sourcing, crowd swell perspective. I imagine, talk to me about what some of the voices are, the developers that are in your community. What are some of the things that they're saying in terms of how much faster they're able to work, they're able to get those priorities established with automation so much faster? >>Well, that's the biggest thing. Is there a, the productivity gain happens because of the benefit of shift left, right? You're testing earlier. You're finding it at an earlier time when it's easier to fix, but that's because they're the ones doing it, right. If they're waiting to hand off to an auto report and then it comes back, even if somebody is, is giving them them audit faster, it's still after they've moved on. And the other way people try to solve it as well. They'll say, well, I'll take a security tool then to hand it to the developer and they can run it. But so developers are not security experts. So the tool needs to understand what they know and what they don't know, and, and working in an upload. And that's what developers generally say to us because sneak makes it easy to work, but also focuses on the fix and helps them guide them to that, to that answer. Then they're able to go much faster when we're evaluated by companies who are looking for a security solution. If the developers get involved in that evaluation, they'll choose sneak. >>So I'm curious a little bit about as, as the head of product marketing, I'm thinking customer advisory boards, things like that. What's the collaboration like between sneak and the developers to really tune and push the technology forward. I imagine it's quite collaborative, >>Quite collaborative and it's across a lot of, of spectrum. So we do have a customer advisory board and that's generally leaders, right? That's either security leaders or development leaders or operations leaders who are in that advisory board. And they're giving us input on things they need for program-wide governance or program wide adoption. We also have a developer community where we're talking directly to developers and that's where we get a lot of, Hey, here's how I could use this better as a developer. And that guides where we focus features that help developers work better, whether it's integrations with our IDs or whether it's the way we present information, help them prioritize. And then the third part is we have a lot of people using the tool because it has a free model, right? We're as a developer tool, we have a freemium model. There's a level of sneak that developers can use that they don't need to pay for. That's not a temporary trial, it's forever. If you want to use it at that level and we can observe what they're doing. So that observability gives us another insight into where folks get challenged run into, to struggles. And then we can look to address those in our roadmap as well. So, so all of that together really helps us drive the product forward. >>What is the perspective from the analyst view? You talked a little bit about the perspective from the customer. We'll get into a customer story in a bit, but I'd love to know what are the gardeners saying? >>Well, Gardner especially put us, we debuted in their magic quadrant for application security last year. And we did David as a visionary and sort of the highest part of the visionary quadrant you could get in before you crossed over into leader, which is kind of unheard of for a first time into the, into the quadrant. And the main reason for that is that they have built the way those, those magic quadrants are built is they have key capabilities and then they score companies against key capabilities and they weight those capabilities, you know, by order of importance. And Gardner has started to put some of this notion of developer security and cross cloud native application security into those key capabilities. And those tend to align really well with what sneakers. So they have a, for example, a software composition, which is sort of open source security analysis, where first, w w w where the top ranking in that, where the top ranking and container security, where the top ranking and developer enablement. So that's pulling us, they are so-so Gardner and the analyst community is seeing this same demand coming from their customers. And that's really aligning to where our vision is. >>And in terms of kind of propelling that vision forward, the voice of the customer, the voice of the analyst, aligning with what you guys are doing to kind of lead the vision going forward. I want to get into some of the intelligence before we kind of break into a customer example. Talk to me a little bit about snakes security intelligence, what the key capabilities are, and some customers that are leveraging it. Sure. >>The biggest thing is with all the developer tool wrapping that needs to be in this product than it is a developer tool. It's got a developers heart, but it has to have a security brain because it still is a security tool. There are some developer tools. We try to have little check the box capabilities of security and they'll crowdsource for vulnerabilities potentially. But if you're doing this, you need to make sure that all the vulnerabilities that could be found are in the database to be able to be found that the database is comprehensive, that it's timely. They get in very quickly that it's accurate. You don't waste time on false positives because that will turn developers off faster than anything. And that it's actionable. So when it does find something, it helps you go forward with it. And that's where sneaks really focused on. So we collect data from multiple public sources. >>We also have a fairly large proprietary research team that curates that information determines what needs to go in. Sometimes we'll adjust priorities. And we also get a lot of contributions from other sources like community contributions. Again, that big free user base of ours is giving us input academia. Open source groups are also in their social media trends. So if we see something trending on Twitter, then that'll not only get it into the database, but it'll drive prioritization. And that's a big part of what's in sneak Intel, which is the name we use for our vulnerability database. We also have a machine learning algorithm. That's constantly looking at all the code in public, in public applications and repositories. And we use that to train for our own proprietary code testing tool, but it also just gets a lot of it finds things there as well. So it brings a really good source of information that helps people make sure you're finding the vulnerabilities, you're prioritizing them correctly and fixing them. And so Amazon's one who is the, you know, one of the folks that using that tool where one of the primary sources of, of Amazon inspector for open source vulnerabilities, as well as a bunch of other security companies like rapid seven tenable and, and others. >>One of the things I was reading from, I'm always kind of looking at the differentiators and I'm sure you are as the head of product marketing and partner marketing, but it sounds like the database can, is, is a key differentiator finding vulnerabilities up to what is it? 46 days faster than competitors. >>Yeah. I mean, faster than especially public sources, which are the easier ones to, to know how you're doing against, but that's a big part of us. So when I talked about those categories, that's really what we measure ourselves against. How are we doing in terms of comprehensive? Do we have the vulnerabilities that we should have? So we have over four times the number of vulnerabilities as the next largest publicly available database, we find them faster, so timely. So that's at 46 days getting it in faster or faster than other public sources, they get into our solution and then accuracy. Again, we, it's not a stat we can test because you can't test it just from the database. You have to run the tools of our, of others in this space. And we don't have those, but making sure that you're not hitting a lot of false positives is a big part of it as well. >>Got it. Okay. And we only have a couple minutes left, but there's two more areas that I want to dig into with you just crack crack. The surface one is log four, shallow was reading. Snake says this. We were the perfect solution at the perfect time. Unpack that for me in the next minute or so. >>Yeah. And that's a bit, and it kind of wraps back to what we were talking about earlier. Everybody's using open source. If you're in the Java world, a lot of folks had logged for shell and we're using lock for shell for logging as a part of their, as a part of their applications. And so a lot of our customers, I think it was over 30%, 36% of our paying customers had the vulnerability. And you would only have the vulnerability of your Java. So it's a very large percentage of our Java using my customers had the vulnerability, but because they were using sneak, they were able, once we put it in the database, which we did the day, it was disclosed, they were able to find it and fix it very quickly. So 91% of our customers fixed that vulnerability in just two days, 98%, because this was a rolling thunder event, right. There was a vulnerability. And then there was a second vulnerability in the, in the fix. And then there was a vulnerability, even in the fix of that. So the second vulnerability that came out because everybody had been ready for it from the first time 98% picks within two days. Whereas the median number of days to generally fix a vulnerability is over two months. So really fast addressing the solution. >>So those are really impressive. And speaking of stats, I wanted to get into just really quickly a case study that really shows that lasting is one of your customer. One of your many customers, big developer community there about 3,500 developers. Give me some kind of the high level of business outcomes that at Lasagne is, is, is achieving thanks to sneaky. >>Yeah. I mean the biggest one is that almost 99% of their applications are deployed in containers. So being able to have the containers tested for vulnerabilities as they're being deployed before they're being deployed is huge for them to reduce the risk of a vulnerability. They, they had a 65% reduction in high severity container volumes a few months after using sneak across all those developers, which really reduces your, your risk profile of your, of your cloud native applications. They're obviously a big AWS user as well. So, so for them, that was the big thing. And again, it goes to that scale, right? They've got 3 3500 developers, more than 3,500 developers. If you try to go through the security team and have the security team fixing all those things, you'll just never catch up. >>Got it. Last question. Where can I get this available through the AWS market prays marketplace? You mentioned the freemium model, give folks kind of a direction on where to go. >>Yeah. So I would say if you are a, if you're someone in the security team, if you're a buyer, the AWS marketplace is a great place to go because you can probably leverage your existing spend commits with AWS. It's easy to purchase, easy billing, et cetera. If you're a developer, then there is this free version where you might go and just start using it and get comfort for it. And if you are a buyer, talk to your developers because there's a pretty good chance. Someone in your company, that's a developer is already using. Sneak will be comfortable with it. These solutions are only successful. If the developers actually use it, you can't shift left unless the developers pick it up and use it. So using the one that developers are already using is probably a good idea. >>Awesome. Robbie, this has been a great conversation, so much momentum at snake. You're the third sneaker I'd gotten to speak to you in the last month and I have, it's pretty exciting, but thanks for walking us through the technology, the capabilities, the differentiators, the voice of the customer, the voice of the analyst, we appreciate your insights and your time. And we look forward to next time we talk to you. >>Terrific. Lisa, I look forward to it as well, but there's a lot more Smith sneakers to go through before you get back to me again. I guess >>I look forward to adding to my repertoire of sneaker interviews, Ravi. Thanks so much. Thank you for Ravi Myra. I'm Lisa Martin. You're watching this cube interview as part of the AWS startup showcase. Stick around more great content coming up next.

>>Welcome everyone to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series and we're covering exciting and innovative startups from the AWS ecosystem. Today. We're going to focus on the open source community. I'm your host, Dave Vellante. And right now we're going to talk about open source security and mitigating risk in light of a recent discovery of a zero day flaw in log for J a Java logging utility and a related white house executive order that points to the FTC pursuing companies that don't properly secure consumer data as a result of this vulnerability and with me to discuss this critical issue and how to more broadly address software supply chain risk is Don Fisher. Who's the CEO of tide lift. Thank you for coming on the program, Donald. >>Thanks for having me excited to be here. Yeah, pleasure. >>So look, there's a lot of buzz. You open the news, you go to your favorite news site and you see this, you know, a log for J this is an, a project otherwise known as logged for shell. It's this logging tool. My understanding is it's, it's both ubiquitous and very easy to exploit. Maybe you could explain that in a little bit more detail. And how do you think this vulnerability is going to affect things this year? >>Yeah, happy to, happy to dig in a little bit in orient around this. So, you know, just a little definitions to start with. So log for J is a very widely used course component that's been around for quite a while. It's actually an amazing piece of technology log for J is used in practically every serious enterprise Java application over the last 10 going on 20 years. So it's, you know, log for J itself is fantastic. The challenge that organization organizations have been facing relate to a specific security vulnerability that was discovered in log for J and that has been given this sort of brand's name as it happens these days. Folks may remember Heartbleed around the openness to sell vulnerability some years back. This one has been dubbed logged for shell. And the reason why it was given that name is that this is a form of security vulnerability that actually allows attackers. >>You know, if a system is found that hasn't been patched to remediate it, it allows hackers to get full control of a, of a system of a server that has the software running on it, or includes this log for J component. And that means that they can do anything. They can access, you know, private customer data on that system, or really do anything and so-called shell level access. So, you know, that's the sort of definitions of what it is, but the reason why it's important is in the, in the small, you know, this is a open door, right? It's a, if, if organizations haven't patched this, they need to respond to it. But one of the things that's kind of, you know, I think important to recognize here is that this log for J is just one of literally thousands of independently created open source components that flow into the applications that almost every organization built and all of them all software is going to have security vulnerabilities. And so I think that log for J is, has been a catalyst for organizations to say, okay, we've got to solve this specific problem, but we all also have to think ahead about how is this all gonna work. If our software supply chain originates with independent creators across thousands of projects across the internet, how are we going to put a better plan in place to think ahead to the next log for J log for shell style incident? And for sure there will be more >>Okay. So you see this incident as a catalyst to maybe more broadly thinking about how to secure the, the digital supply chain. >>Absolutely. Yeah, it's a, this is proving a point that, you know, a variety of folks have been making for a number of years. Hey, we depend, I mean, honestly these days more than 70% of most applications, most custom applications are comprised of this third party open source code. Project's very similar in origin and governance to log for J that's just reality. It's actually great. That's an amazing thing that the humans collaborating on the internet have caused to be possible that we have this rich comments of open source software to build with, but we also have to be practical about it and say, Hey, how are we going to work together to make sure that that software as much as possible is vetted to ensure that it meets commercial standards, enterprise standards ahead of time. And then when the inevitable issues arise like this incident around the log for J library, that we have a great plan in place to respond to it and to, you know, close the close the door on vulnerabilities when they, when they show up. >>I mean, you know, when you listen to the high level narrative, it's easy to point fingers at organizations, Hey, you're not doing enough now. Of course the U S government has definitely made attempts to emphasize this and, and shore up in, in, in, in, in push people to shore up the software supply chain, they've released an executive order last may, but, but specifically, I mean, it's just a complicated situation. So what steps should organizations really take to make sure that they don't fall prey to these future supply chain attacks, which, you know, are, as you pointed out are inevitable. >>Yeah. I mean, it's, it's a great point that you make that the us federal government has taken proactive steps starting last year, 2021 in the fallout of the solar winds breach, you know, about 12 months ago from the time that we're talking, talking here, the U S government actually was a bit ahead of the game, both in flagging the severity of this, you know, area of concern and also directing organizations on how to respond to it. So the, in May, 2021, the white house issued an executive order on cybersecurity and it S directed federal agencies to undertake a whole bunch of new measures to ensure the security of different aspects of their technology and software supply chain specifically called out open source software as an area where they put, you know, hard requirements around federal agencies when they're acquiring technology. And one of the things that the federal government that the white house cybersecurity executive order directed was that organizations need to start with creating a list of the third-party open source. >>That's flowing into their applications, just that even have a table of contents or an index to start working with. And that's, that's called a, a software bill of materials or S bomb is how some people pronounce that acronym. So th the federal government basically requires federal agencies to now create Nessbaum for their applications to demand a software bill of materials from vendors that are doing business with the government and the strategy there has been to expressly use the purchasing power of the us government to level up industry as a whole, and create the necessary incentives for organizations to, to take this seriously. >>You know, I, I feel like the solar winds hack that you mentioned, of course it was widely affected the government. So we kind of woke them up, but I feel like it was almost like a stuck set Stuxnet moment. Donald were very sophisticated. I mean, for the first time patches that were supposed to be helping us protect, now we have to be careful with them. And you mentioned the, the bill of its software, bill of materials. We have to really inspect that. And so let's get to what you guys do. How do you help organizations deal with this problem and secure their open source software supply chain? >>Yeah, absolutely happy to tell you about, about tide lift and, and how we're looking to help. So, you know, the company, I co-founded the company with a couple of colleagues, all of whom are long-term open source folks. You know, I've been working in around commercializing open source for the last 20 years that companies like red hat and, and a number of others as have my co-founders the opportunity that we saw is that, you know, while there have been vendors for some of the traditional systems level, open source components and stacks like Linux, you know, of course there's red hat and other vendors for Linux, or for Kubernetes, or for some of the databases, you know, there's standalone companies for these logs, for shell style projects, there just hasn't been a vendor for them. And part of it is there's a challenge to cover a really vast territory, a typical enterprise that we inspect has, you know, upwards of 10,000 log for shell log for J like components flowing into their application. >>So how do they get a hand around their hands around that challenge of managing that and ensuring it needs, you know, reasonable commercial standards. That's what tide lifts sets out to do. And we do it through a combination of two elements, both of which are fairly unique in the market. The first of those is a purpose-built software solution that we've created that keeps track of the third-party open source, flowing into your applications, inserts itself into your DevSecOps tool chain, your developer tooling, your application development process. And you can kind of think of it as next to the point in your release process, where you run your unit test to ensure the business logic in the code that your team is writing is accurate and sort of passes tests. We do a inspection to look at the state of the third-party open source packages like Apache log for J that are flowing into your, into your application. >>So there's a software element to it. That's a multi-tenant SAS service. We're excited to be partnered with, with AWS. And one of the reasons why we're here in this venue, talking about how we are making that available jointly with AWS to, to drink customers deploying on AWS platforms. Now, the other piece of the, of our solution is really, really unique. And that's the set of relationships that Tyler has built directly with these independent open source maintainers, the folks behind these open source packages that organizations rely on. And, you know, this is where we sort of have this idea. Somebody is making that software in the first place, right? And so would those folks be interested? Could we create a set of aligned incentives to encourage them, to make sure that that software meets a bunch of enterprise standards and areas around security, like, you know, relating to the log for J vulnerability, but also other complicated parts of open source consumption like licensing and open source license, accuracy, and compatibility, and also maintenance. >>Like if somebody looking after the software going forward. So just trying to basically invite open source creators, to partner with us, to level up their packages through those relationships, we get really, really clean, clear first party data from the folks who create, maintain the software. And we can flow that through the tools that I described so that end organizations can know that they're building with open source components that have been vetted to meet these standards, by the way, there's a really cool side effect of this business model, which is that we pay these open source maintainers to do this work with us. And so now we're creating a new income stream around what previously had been primarily a volunteer activity done for impact in this universe of open source software. We're helping these open source maintainers kind of GoPro on an aspect of what they do around open source. And that means they can spend more time applying more process and tools and methodology to making that open source software even better. And that's good for our customers. And it's good for everyone who relies on open source software, which is really everyone in society these days. That's interesting. I >>Was going to ask you what's their incentive other than doing the right thing. Can you give us an example of, of maybe a example of an open source maintainer that you're working with? >>Yeah. I mean, w we're working with hundreds of open source maintainers and a few of the key open source foundations in different areas across JavaScript, Java PHP, Ruby python.net, and, you know, like examples of categories of projects that we're working with, just to be clear, are things like, you know, web frameworks or parser libraries or logging libraries, like a, you know, log for J and all the other languages, right? Or, you know, time and date manipulation libraries. I mean, they, these are sort of the, you know, kind of core building blocks of applications and individually, they, you know, they may seem like, you know, maybe a minor, a minor thing, but when you multiply them across how many applications these get used in and log for J is a really, really clarifying case for folks to understand this, you know, what can seemingly a small part of your overall application estate can have disproportionate impact on, on your operations? As we saw with many organizations that spent, you know, a weekend or a week, or a large part of the holidays, scrambling to patch and remediate this, a single vulnerability in one of those thousands of packages in that case log. >>Okay, got it. So you have this two, two headed, two vectors that I'm going to call it, your ecosystem, your relationship with these open source maintainers is kind of a, that just didn't happen overnight, and it develop those relationships. And now you get first party data. You monetize that with a software service that is purpose built as the monitor of the probe that actually tracks that third, third party activity. So >>Exactly right. Got it. >>Okay. So a lot of companies, Donald, I mean, this is, like I said before, it's a complicated situation. You know, a lot of people don't have the skillsets to deal with this. And so many companies just kind of stick their head in the sand and, you know, hope for the best, but that's not a great strategy. What are the implications for organizations if they don't really put the tools and processes into place to manage their open source, digital supply chain. >>Yeah. Ignoring the problem is not a viable strategy anymore, you know, and it's just become increasingly clear as these big headline incidents that happened like Heartbleed and solar winds. And now this logged for shell vulnerability. So you can, you can bet on that. Continuing into the future and organizations I think are, are realizing the ones that haven't gotten ahead of this problem are realizing this is a critical issue that they need to address, but they have help, right. You know, the federal government, another action beyond that cybersecurity executive order that was directed at federal agencies early last year, just in the last week or so, the FTC of the U S federal trade commission has made a much more direct warning to private companies and industry saying that, you know, issues like this log for J vulnerability risk exposing private, you know, consumer data. That is one of the express mandates of the FTC is to avoid that the FTC has said that this is, you know, bears on both the federal trade commission act, as well as the Gramm-Leach-Bliley act, which relates to consumer data privacy. >>And the FTC just came right out and said it, they said they cited the $700 million settlements that Equifax was subject to for their data breach that also related to open source component, by the way, that that had not been patched by, by Equifax. And they said the FTC intents to use its full legal authority to pursue companies that failed to take reasonable steps, to protect consumer data from exposure as a result of log for J or similar known vulnerabilities in the future. So the FTC is saying, you know, this is a critical issue for consumer privacy and consumer data. We are going to enforce against companies that do not take reasonable precautions. What are reasonable precautions? I think it's kind of a mosaic of solutions, but I'm glad to say tide lift is contributing a really different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from FTC or other regulators. >>Well, and the good news is that you can tap a tooling like tide lift in the cloud as a service and you know, much easier today than it was 10 or 15 years ago to, to resolve, or at least begin to demonstrate that you're taking action against this problem. >>Absolutely. There's new challenges. Now I'm moving into a world where we build on a foundation of independently created open source. We need new solutions and new ideas, and that's a, you know, that's part of what we're, we're, we're showing up with from the tide lift angle, but there's many other elements that are going to be necessary to provide the full solution around securing the open source supply chain going forward. >>Well, Donald Fisher of tide lift, thanks so much for coming to the cube and best of luck to your organization. Thanks for the good work that you guys do. >>Thanks, Dave. Really appreciate your partnership on this, getting the word out and yeah, thanks so much for today. >>Very welcome. And you are watching the AWS startup showcase open cloud innovations. Keep it right there for more action on the cube, your leader in enterprise tech coverage.

(soft techno music) >> Good evening. Welcome back to the Kube. Live in Los Angeles. We are at KubeCon Cloud Native Con 2021. Lisa Martin with Dave Nicholson, rounding out our day. We're going to introduce you to a new company, a new company that's new to us. I should say, log DNA. Peter Choi joins us the VP of product. Peter, welcome to the program. >> Thanks for having me. >> (Lisa) Talk to us about log DNA. Who are you guys? What do you do? >> So, you know, log DNA is a log medicine platform. Traditionally, we've been focused on, you know, offering log analysis, log management capabilities to dev ops teams. So your classic kind of troubleshooting, debugging, getting into your systems. More recently, maybe in like the last year or so we've been focused on a lot of control functionality around log medicine. So what I mean by that is a lot of people typically think of kind of the analysis or the dashboards, but with the pandemic, we noticed that you see this kind of surge of data because all of the services are being used, but you also see a downward pressure on cost, right? Because all of a sudden you don't want to be spending two X on those digital experiences. So we've been focused really on kind of tamping down kind of controls on the volume of log data coming in and making sure that they have a higher kind of signal and noise ratio. And then, you know, I'll talk about it a little bit, but we've really been honing in on how can we take those capabilities and kind of form them more in a pipeline. So log management, dev ops, you know, focusing on log data, but moving forward really focused on that flow of data. >> (Dave) So, when you talk about the flow of data and logs that are being read, make this a little more real, bring it up, bring it up just to level in terms of data, from what? >> Yeah. >> What kind of logs? What things are generating logs? What's the relevant information that's being. Kept track of? >> Yeah, I mean, so from our perspective, we're actually agnostic to data source. So we have an assist log integration. We have kind of basic API's. We have, you know, agents for any sort of operating system. Funny enough people actually use those agents to install, log DNA on robots, right? And so we have a customer they're, you know, one of the largest E-commerce platforms on, in the, in the world and they have a warehouse robots division and they installed the agent on every single one of those robots. They're, you know, they're running like arm 64 processors and they will send the log data directly to us. Right? So to us, it's no different. A robot is no different from a server is no different from an application is no different from a router. We take in all that data. Traditionally though, to answer your question, I guess, in the simplest way, mostly applications, servers, firewalls, all the traditional stuff you'd expect kind of going into a log platform. >> So you mentioned a big name customer. I've got a guess as to who that is. I won't, I won't say, but talk to us about the observability pipeline. What is that? What are the benefits in it for customers? >> (Peter) Sure. So, like if we zoom out again, you know, you think about logs traditionally. I think a lot of folks say, okay, we'll ingest the logs. We'll analyze them. What we noticed is that there's a lot of value in the step before that. So I think in the earlier days it was really novel to say, Hey, we're going to get logs and we're going to put it into a system. We're going to analyze it. We're going to centralize. Right. And that had its merits. But I think over time it got a little chaotic. And so you saw a lot of the vendors over the last three years consolidating and doing more of a single pane of glass, all the pillars of observability and whatnot. But then the downside of that is you're seeing a lot of the teams that are using that then saying being constrained by single vendor for all the ways that you can access that data. So we decided that the control point being on the analysis side on, on the very far right side was constricting. So we said, okay, let's move the control point up into a pipeline where the logs are coming to a single point of ingress. And then what we'll do is we will offer views, but also allow you to stream into other systems. So we'll allow you to stream into like a SIM or a data warehouse or something, something like that. Right? So, and you know, we're still trying to like nail down the messaging. I'm sure our marketing person's going to roast me after this. But the simplest way to think of observability pipeline is it's the step before the analysis part, that kind of ingest processes and routes the data. >> (Dave) Yeah. This is the Kube, by the way, neither one of us is a weather reporter. (laughing) So, so the technical stuff is good with us. >> Yes. It is. What are, and talk to us about some of the key features and capabilities and maybe anything that's newly announced are going to be announced. >> Yeah. For sure. So what we recently announced early access on is our streaming capabilities. So it's something that we built in conjunction with IBM and with a couple of, you know, large major institutions that we were working with on the IBM cloud. And basically we realized as we were ingesting a log data, some of those consumers wanted to access subsets of that data and other systems such as Q radar or, you know, a security product. So we ended up taking, we filtered down a subset of that data and we stream it out into those systems. And so we're taking those capabilities and then bringing it into our direct product, you know, whatever you access via logging.com. That is what's essentially going to be the seed for the kind of observability pipeline moving forward. So when you start thinking about it, all of this stuff that I mentioned, where we say, we're focusing on control, like allowing you to exclude logs, allowing you to transform logs, you take those processing capabilities, you take the streaming capabilities, you put them together and all of a sudden that's the pipeline, right? So that's the biggest focus for us now. And then we also have supporting features such as, you know, control API's. We have index rate alerting so that you can get notified if you see aberrations in the amount of flow of data. We have things like variable retention. So when a certain subset of logs come in, if you want it store it for seven days or 30 days, you can go ahead and do that because we know that a large block of logs is going to have many different use cases and many different associated values, right? >> So let's pretend for a moment that a user, somebody who has spent their money on log DNA is putting together a Yelp review and they've given you five stars. >> Yup. >> What do they say about log DNA? Why did they give you that five star rating? >> Yeah. Absolutely. I think, you know, the most common one and it's funny it's Yelp because we actually religiously mine, our G2 crowd reviews. (all laughing) And so the thing that we hear most often is, it's ease of use, right? A lot of these tools. I mean, I'm sure, you know, you're talking to founders and product leaders every day with developers. Like the, the bar, the baseline is so low, you know, a lot of, a lot of organizations where like, we'll give them the, you know, their coders, they'll figure it out. We'll just give them docs and they'll figure it out. But we, we went a little bit extra in terms of like, how can we smooth that experience so that when you go to your computer and you type in QTPL, blah, blah, blah, two lines, and all of a sudden all your logs are shipping from your cluster to log DNA. So that's the constant theme for us in all of our views is, Hey, I showed up, I signed up and within 30 minutes I had everything going that I needed to get. >> (Lisa) So fast time to value. >> Yes. >> Which is critical these days. >> Absolutely. >> Talk to me. So here we are at, at KubeCon, the CNCF community is huge. I think I, the number I saw yesterday was 138,000 contributors. Lots of activity, because we're in person, which is great. We can have those hallway networking conversations that we haven't been able to have in a year and a half. What are some of the things that you guys have heard at the booth in terms of being able to engage with the community again? >> You know, the thing that we've heard most often is just like having a finger on the pulse. It's so hard to do that because you know, when we're all at our computers, we just go from zoom to zoom. And so it, it like, unless it punches you in the face, you're not aware of it. Right. But when you come here, you look around, you go, you can start to identify trends, you hear the conversations in the hallway, you see the sessions. It's just that, that sense of, it's almost like a Phantom limb that, that sense of community and being kind of connected. I think that's the thing that we've heard most often that people are excited. And, you know, I think a lot of us are just kind of treating this like a dry run. Like we're kind of easing our way back in. And so it, you know, it felt good to be back. >> Well, they've done a great job here, right? I mean, you have to show your proof of vaccination. They're doing temperature checks, or you can show your clear health pass. So they're making it. We were talking to the executive director of CNCF earlier today and you're making it, it's not rocket science. We have enough data to know that this can be done carefully and safely. >> (David) Don't forget the wristbands. >> That's right. And, and did you see the wristbands? >> (Peter) Oh yeah. >> Yeah, yeah that's great. >> Yep, it is great. >> I was, I was on the fence by the way. I was like, I was a green or yellow, depending on the person. >> (both) Yeah. >> Yeah. But giving, giving everybody the opportunity to socialize again and to have those, those conversations that you just can't have by zoom, because you have somebody you've seen someone and it jogs your memory and also the control of do I want to shake someone's hand or do I not. They've done a great job. And I think hopefully this is a good test in the water for others, other organizations to learn. This can be done safely because of the community. You can't replicate that on video. >> (Peter) Absolutely. And I'll tell you this one for us, this is our, this is our event. This is the event for us every single year. We, we it's the only event we care about at the end of the day. So. >> What are some of the things that you've seen in the last year, in terms of where, we were talking a lot about the, the adoption of Kubernetes, kind of, where is it in its maturation state, but we've seen so much acceleration and digital transformation in the last 18 months for every industry businesses rapidly pivoting multiple times to try to, to survive one and then figure out a new way to thrive in this, this new I'll call it the new. Now I'll borrow that from a friend at Citrix, the new now, not the new normal, the new now, what are some of the things that you've seen in the last year and a half from, from your customer base in terms of what have they been coming to you saying help? >> (Peter) You know, I think going back to the earlier point about time to value, that's the thing that a lot. So a lot of our customers are, you know, very big Kubernetes, you know, they're, they're big consumers of Kubernetes. I would say, you know, for me, when I do the, we do our, our QBRs with our top customers, I would say 80% of them are huge Kubernetes shops. Right. And the biggest bottleneck for them actually is onboarding new engineers because a lot of the, and you know, we have a customer, we have better mortgage. We have, IBM, we have Rappi is a customer of ours. They're like Latin American version of Instacart. They double their engineering base and you, you know, like 18 in 18 months. And so that's, you know, I think it was maybe from 1500 to 3000 developers or so, so their thing is like, we need to get people on board as soon as possible. We need to get them in these tools, getting access to, to, to their longs, to whatever they need. And so that's been the biggest thing that we've heard over and over again is A, how can we hire? And then B when we hire them, how do we onboard them as quickly as possible, so that they're ramped up and they're adding value. >> How do you help with that onboarding, making it faster, seamless so that they can get value faster? >> So for us, you know, we really lean in on our, our customer success teams. So they do, you know, they do trainings, they do best practices. Basically. We kind of think of ourselves given how much Kubernetes contradiction we have, we think of ourselves as cross pollinators. So a lot of the times we'll go into those decks and we'll try to learn just as much as we're trying to try to teach. And then we'll go and repeat that process through every single set of our customers. So a lot of the patterns that we'll see are, well, you know, what kinds of tools are you using for orchestration? What kind of tools are you using for deployment? How are you thinking about X, Y, and Z? And then, you know, even our own SRE teams will kind of get into the mix and, you know, provide tips and feedback. >> (Lisa) Customer centricity is key. We've heard that a lot today. We hear that from a lot of companies. It's one thing to hear it. It's another thing to see it. And it sounds like the Yelp review that you would have given, or, or what you're hearing through G2 crowd. I mean, that voice of the customer is valid. That's, that's the only validation. I think that really matters because analysts are paid. >> Yeah. >> But hearing that validation through the voice of the customer consistently lets you know, we're going in the right direction here. >> Absolutely. >> I think it's, it's interesting that ease of use comes up. You wonder if those are only anonymous reviews, you don't necessarily associate open source community with cutting edge, you know, we're the people on the pirate ship. >> (Peter) Yeah. And so when, when, when people start to finally admit, you know, some ease of use would be nice. I think that's an indication of maturity at a certain point. It's saying, okay, not everyone is going to come in and sit behind a keyboard and program things in machine language. Every time we want to do some simple tasks, let's automate, let's get some ease of use into this. >> And I'll tell you in the early days it drove me and our, our CEO talker. It drove us nuts that people would say easiest to be like, that's so shallow. It doesn't mean anything. Well, you know, all of that. However, but to your point, if we don't meet the use case, if we don't have the power behind it, the ease of use is abstracting away. It's like an iceberg, right. It's abstracting away a lot. So we can't even have the ease of use conversation unless we're able to meet the use case. So, so what we've been doing is digging into that more, be like, okay, ease of use, but what were you trying to do? What, what is it that we enabled? Because ease of use, if it's a very shallow set of use cases is not as valid as ease of use for petabytes of data for an organization like IBM. Right? >> That's a great, I'm glad that you dug into that because ease of use is one of those things that you'll see it in marketing materials, but to your point, you want to know what does this actually mean? What are we delivering? >> Right. >> And now, you know what you're delivering with Peter, thank you for sharing with us about logged in and what you guys are doing, how you're helping your community of customers and hearing the voice of the customer through G2 and others. Good work. >> Thank you. And by the way, I'll be remiss if I, if I don't say this, if you're interested in learning more about some of the stuff that we're working on, just go to logging in dot com. We've got, I think we've got a banner for the early access programs that I mentioned earlier. So, you know, at the end of the day, to your point about customer centricity, everything we prioritize is based on our customers, what they need, what they tell us about. And so, you know, whatever engagement that we get from the people at the show and prospects, like that's how we drive a roadmap. >> (Lisa) Yup. That's why we're all here. Log dna.com. Peter, thank you for joining Dave and me today. We appreciate it. >> Thanks for having me. >> Our pleasure for Dave Nicholson. I'm Lisa Martin signing off from Los Angeles today. The Kubes coverage of KubeCon clouding of con 21 continues tomorrow. We'll see then. (soft techno music)

(upbeat music) >> Welcome to theCUBE Conversation. I'm John Furrier, host of theCUBE here in Palo Alto, California, in our studios. We've got a great conversation around open data link analytics on AWS, two great companies, Ahana and Securonix. Dipti Borkar, Co-founder and Chief Product Officer at Ahana's here. Great to see you, and Derrick Harcey, Chief Architect at Securonix. Thanks for coming on, really appreciate you guys spending the time. >> Yeah, thanks so much, John. Thank you for having us and Derrick, hello again. (laughing) >> Hello, Dipti. >> We had a great conversation around our startup showcase, which you guys were featured last month this year, 2021. The conversation continues and a lot of people are interested in this idea of open systems, open source. Obviously open data lakes is really driving a lot of value, especially with machine learning and whatnot. So this is a key, key point. So can you guys just take a step back before we get under the hood and set the table on Securonix and Ahana? What's the big play here? What is the value proposition? >> Why sure, I'll give a quick update. Securonix has been in the security business. First, a user and entity, behavioral analytics, and then the next generation SIEM platform for 10 years now. And we really need to take advantage of some cutting edge technologies in the open source community and drive adoption and momentum that we can not only bring in data from our customers, that they can find security threats, but also store in a way that they can use for other purposes within their organization. That's where the open data lake is very critical. >> Yeah and to add on to that, John, what we've seen, you know, traditionally we've had data warehouses, right? We've had operational systems move all of their data into the warehouse and those, you know, while these systems are really good, built for good use cases, the amount of data is exploding, the types of data is exploding, different types, semi-structured, structured and so when, as companies like Securonix in the security space, as well as other verticals, look for getting more insights out of their data, there's a new approach that's emerging where you have a data lake, which AWS has revolutionized with S3 and commoditized and there's analytics that's built on top of it. And so we're seeing a lot of good advantages that come out of this new approach. >> Well, it's interesting EC2 and S3 are having their 15th birthday, as they say in Amazon's interesting teenage years, but while I got you guys here, I want to just ask you, can you define the SIEM thing because the SIEM market is exploding, it just changed a little bit. Obviously it's data, event management, but again, as data becomes more proliferating, and it's not stopping anytime soon, as cloud native applications emerge, why is this important? What is this SIEM category? What's it about? >> Yeah, thanks. I'll take that. So obviously SIEM traditionally has been around for about a couple of decades and it really started with first log collection and management and rule-based threat detection. Now what we call next generation SIEM is really the modernization of a security platform that includes streaming threat detection and behavioral analysis and data analytics. We literally look for thousands of different threat detection techniques, and we chained together sequences of events and we stream everything in real time and it's very important to find threats as quickly as possible. But the momentum that we see in the industry as we see massive sizes of customers, we have made a transition from on-premise to the cloud and we literally are processing tens of petabytes of data for our customers. And it's critical that we can adjust data quickly, find threats quickly and allow customers to have the tools to respond to those security incidents quickly and really get the handle on their security posture. >> Derrick, if I ask you what's different about this next gen SIEM, what would you say and what's the big a-ha? What's the moment there? What's the key thing? >> The real key is taking the off the boundaries of scale. We want to be able to ingest massive quantities of data. We want to be able to do instant threat detection, and we want to be able to search on the entire forensic data set across all of the history of our customer base. In the past, we had to make sacrifices, either on the amount of data we ingest or the amount of time that we stored that data. And the really the next generation SIEM platform is offering advanced capabilities on top of that data set because those boundaries are no longer barriers for us. >> Dipti, any comment before I jump into the question for you? >> Yeah, you know, absolutely. It is about scale and like I mentioned earlier, the amount of data is only increasing and it's also the types of information. So the systems that were built to process this information in the past are, you know, support maybe terabytes of data, right? And that's where new technologies open source engines like Presto come in, which were built to handle internet scale. Presto was kind of created at Facebook to handle these petabytes that Derrick is talking about that every industry is now seeing where we're are moving from gigs to terabytes to petabytes. And that's where the analytic stack is moving. >> That's a great segue. I want to ask you while I got you here 'cause this is again, the definitions, 'cause people love to hear the experts weigh in. What is open data lake analytics? How would you define that? And then talk about where Presto fits in. >> Yeah, that's a great question. So the way I define open data lake analytics is you have a data lake on the core, which is, let's say S3, it's the most popular one, but on top of it, there are open aspects, it is open format. Open formats play a very important role because you can have different types of processing. It could be SQL processing, it could be machine learning, it could be other types of workloads, all work on these open formats versus a proprietary format where it's locked and it's open interfaces. Open interfaces that are like SQL, JDBC, ODBC is widely accessible to a range of tools. And so it's everywhere. Open source is a very important part of it. As companies like Securonix pick these technologies for their mission critical systems, they want to know that this is going to be available and open for them for a long period of time. And that's why open source becomes important. And then finally, I would say open cloud because at the end of the day, you know, while AWS is where a lot of the innovations happening, a lot of the market is, there are other clouds and open cloud is something that these engines were built for, right? So that's how I define open data lake analytics. It's analytics with query engines built on top of these open formats, open source, open interfaces and open cloud. Now Presto comes in where you want to find the needle in the haystack, right? And so when you have these deep questions about where did the threat come from or who was it, right? You have to ask these questions of your data. And Presto is an open source distributed SQL engine that allows data platform teams to run queries on their data lakes in a high-performance ways, in memory and on these petabytes of data. So that's where Presto fits in. It's one of the defacto query engines for SQL analysis on the data lake. So hopefully that answers the question, gives more context. >> Yeah, I mean, the joke about data lakes has been you don't want to be a data swamp, right? That's what people don't want. >> That's right. >> But at the same time, the needle in the haystack, it's like big data is like a needle in a haystack of needles. So there's a constant struggle to getting that data, the right data at the right time. And what I learned in the last presentation, you guys both presented, your teams presented at the conference was the managed service approach. Could you guys talk about why that approach works well together with you guys? Because I think when people get to the cloud, they replatform, then they start refactoring and data becomes a real big part of that. Why is the managed service the best approach to solving these problems? >> Yeah and interestingly, both Securonix and Ahana have a managed service approach so maybe Derrick can go first and I can go after. >> Yeah, yeah. I'll be happy to go first. You know, we really have found making the transition over the last decade from off premise to the cloud for the majority of our customers that running a large open data lake requires a lot of different skillsets and there's hundreds of technologies in the open source community to choose from and to be able to choose the right blend of skillsets and technologies to produce a comprehensive service is something that customers can do, many customers did do, and it takes a lot of resources and effort. So what we really want to be able to do is take and package up our security service, our next generation SIEM platform to our customers where they don't need to become experts in every aspect of it. Now, an underlying component of that for us is how we store data in an open standards way and how we access that data in an open standards way. So just like we want our customers to get immediate value from the security services that we provide, we also want to be able take advantage of a search service that is offered to us and supported by a vendor like Ahana where we can very quickly take advantage of that value within our core underlying platform. So we really want to be able to make a frictionless effort to allow our customers achieve value as quick as possible. >> That's great stuff. And on the Ahana side, open data lakes, really the ease of use there, it sounds easy to me, but we know it's not easy just to put data in a data lake. At the end of the day, a lot of customers want simplicity 'cause they don't have the staffing. This comes up a lot. How do you leverage their open source participation and/or getting stood up quickly so they can get some value? Because that seems to be the number one thing people want right now. Dipti, how does that work? How do people get value quickly? >> Yeah, absolutely. When you talk about these open source press engines like Presto and others, right? They came out of these large internet companies that have a lot of distributed systems, engineers, PhDs, very kind of advanced level teams. And they can manage these distributed systems building onto them, add features at large scale, but not every company can and these engines are extremely powerful. So when you combine the power of Presto with the cloud and a managed service, that's where value for everyone comes in. And that's what I did with Ahana is looked at Presto, which is a great engine, but converted it into a great user experience so that whether it's a three person platform team or a five person platform team, they still get the same benefit of Presto that a Facebook gets, but at much, much a less operational complexity cost, as well as the ability to depend on a vendor who can then drive the innovation and make it even better. And so that's where managed services really com in. There's thousands of credit parameters that need to be tuned. With Ahana, you get it out of the box. So you have the best practices that are followed at these larger companies. Our team comes from Facebook, HuBERT and others, and you get that out of the box, with a few clicks you can get up and running. And so you see value immediately, in 30 minutes you're up and running and you can create your data lake versus with Hadoop and these prior systems, it would take months to receive real value from some of these systems. >> Yeah, we saw the Hadoop scar tissue is all great and all good now, but it takes too much resource, standing up clusters, managing it, you can't hire enough people. I got to ask you while you're on that topic, do you guys ship templates? How do you solve the problem of out of the box? You mentioned some out of the box capability. Do you guys think of as recipes, templates? What's your thoughts around what you're providing customers to get up and running? >> Yeah so in the case of Securonix, right, let's say they want to create a Presto cluster. They go into our SAS console. You essentially put in the number of nodes that you want. Number of workers you want. There's a lot of additional value that we built in like caching capabilities if you want more performance, built in cataloging that's again, another single click. And there isn't really as much of a template. Everybody gets the best tuned Presto for their workloads. Now there are certain workloads where you might have interactive in some cases, or you might have transformation batch ETL, and what we're doing next is actually giving you the knobs so that it comes pre tuned for the type of workload that you want to run versus you figuring it out. And so that's what I mean by out of the box, where you don't have to worry about these configuration parameters. You get the performance. And maybe Derrick can you talk a little bit about the benefits of the managed service and the usage as well. >> Yeah, absolutely. So, I'll answer the same question and then I'll tie back to what Dipti asked. Really, you know, our customers, we want it to be very easy for them to ingest security event logs. And there's really hundreds of types of a security event logs that we support natively out of the box, but the key for us is a standard that we call the open event format. And that is a normalized schema. We take any data source in it's normalized format, be a collector device a customer uses on-premise, they send the data up to our cloud, we do streaming analysis and data analytics to determine where the threats are. And once we do that, then we send the data off to a long-term storage format in a standards-based Parquet file. And that Parquet file is natively read by the Ahana service. So we simply deploy an Ahana cluster that uses the Presto engine that natively supports our open standard file format. And we have a normalized schema that our application can immediately start to see value from. So we handle the collection and streaming ingest, and we simply leverage the engine in Ahana to give us the appropriate scale. We can size up and down and control the cost to give the users the experience that they're paying for. >> I really love this topic because one, not only is it cutting edge, but it's very relevant for modern applications. You mentioned next gen SIEMs, SIEM, security information event management, not SIM as memory card, which I think of all the time because I always want to add more, but this brings up the idea of streaming data real-time, but as more services go to the cloud, Derrick, if you don't mind sharing more on this. Share the journey that you guys gone through, because I think a lot of people are looking at the cloud and saying, and I've been in a lot of these conversations about repatriation versus cloud. People aren't going that way. They're going more innovation with his net new revenue models emerging from the value that they're getting out of understanding events that are happening within the network and the apps, even when they're being stood up and torn down. So there's a lot of cloud native action going on where just controlling and understanding is way beyond the, just put stuff into an event log. It's a whole nother animal. >> Well, there's a couple of paradigm shifts that we've seen major patterns for in the last five or six years. Like I said, we started with the safe streaming ingest platform on premise. We use some different open source technologies. What we've done when we moved to the cloud is we've adopted cloud native services as part of our underlying platform to modernize and make our service cloud native. But what we're seeing as many customers either want to focus on on-premise deployments and especially financial institutions and government institute things, because they are very risk averse. Now we're seeing even those customers are realizing that it's very difficult to maintain the hundreds or thousands of servers that it requires on premise and have the large skilled staff required to keep it running. So what we're seeing now is a lot of those customers deployed some packaged products like our own, and even our own customers are doing a mass migration to the cloud because everything is handled for them as a service. And we have a team of experts that we maintain to support all of our global customers, rather than every one of our global customers having their own teams that we then support on the back end. So it's a much more efficient model. And then the other major approach that many of our customers also went down the path of is, is building their own security data lake. And many customers were somewhat successful in building their own security data lake but in order to keep up with the innovation, if you look at the analyst groups, the Gartner Magic Quadrant on the SIEM space, the feature set that is provided by a packaged product is a very large feature set. And even if somebody was put together all of the open source technologies to meet 20% of those features, just maintaining that over time is very expensive and very difficult. So we want to provide a service that has all of the best in class features, but also leverages the ability to innovate on the backend without the customer knowing. So we can do a technology shift to Ahana and Presto from our previous technology set. The customer doesn't know the difference, but they see the value add within the service that we're offering. >> So if I get this right, Derrick, Presto's enabling you guys to do threat detection at a level that you're super happy with as well as giving you the option for give self-service. Is that right for the, is that a kind of a- >> Well, let me clarify our definition. So we do streaming threat detection. So we do a machine learning based behavioral analysis and threat detection on rule-based correlation as well. So we do threat detection during the streaming process, but as part of the process of managing cybersecurity, the customer has a team of security analysts that do threat hunting. And the threat hunting is where Ahana comes in. So a human gets involved and starts searches for the forensic logs to determine what happened over time that might be suspicious and they start to investigate through a series of queries to give them the information that's relevant. And once they find information that's relevant, then they package it up into an algorithm that will do a analysis on an ongoing basis as part of the stream processing. So it's really part of the life cycle of hunting a real time threat detection. >> It's kind of like old adage hunters and farmers, you're farming through the streaming and hunting with the detection. I got to ask you, what would it be the alternative if you go back, I mean, I know cloud's so great because you have cutting edge applications and technologies. Without Presto, where would you be? I mean, what would be life like without these capabilities? What would have to happen? >> Well, the issue is not that we had the same feature set before we moved to Presto, but the challenge was on scale. The cost profile to continue to grow from 100 terabytes to one petabyte, to tens of petabytes, not only was it expensive, but it just, the scaling factors were not linear. So not only did we have a problem with the costs, but we also had a problem with the performance tailing off and keeping the service running. A large Hadoop cluster, for example, our first incarnation of this use, the hive service, in order to query data in a MapReduce cluster. So it's a completely different technology that uses a distributed Hadoop compute cluster to do the query. It does work, but then we start to see resource contention with that, and all the other things in the Hadoop platform. The Presto engine has the beauty of it, not only was it designed for scale, but it's feature built just for a query engine and that's the providing the right tool for the job, as opposed to a general purpose tool. >> Derrick, you've got a very busy job as chief architect. What are you excited about going forward when you look at the cloud technologies? What are you looking at? What are you watching? What are you getting excited about or what worries you? >> Well, that's a good question. What we're really doing, I'm leading up a group called the Securonix Innovation Labs, and we're looking at next generation technologies. We go through and analyze both open source technologies, technologies that are proprietary as well as building own technologies. And that's where we came across Ahana as part of a comprehensive analysis of different search engines, because we wanted to go through another round of search engine modernization, and we worked together in a partnership, and we're going to market together as part of our modernization efforts that we're continuously going through. So I'm looking forward to iterative continuous improvement over time. And this next journey, what we're seeing because of the growth in cybersecurity, really requires new and innovative technologies to work together holistically. >> Dipti, you got a great company that you co-founded. I got to ask you as the co-founder and chief product officer, you both the lead entrepreneur also, got the keys to the kingdom with the products. You got to balance that 20 miles stare out in the future while driving product excellence. You've got open source as a tailwind. What's on your mind as you go forward with your venture? >> Yeah. Great question. It's been super exciting to have found the Ahana in this space, cloud data and open source. That's where the action is happening these days, but there's two parts to it. One is making our customers successful and continuously delivering capabilities, features, continuing on our ease of use theme and a foundation to get customers like Securonix and others to get most value out of their data and as fast as possible, right? So that's a continuum. In terms of the longer term innovation, the way I see the space, there is a lot more innovation to be done and Presto itself can be made even better and there's a next gen Presto that we're working on. And given that Presto is a part of the foundation, the Linux Foundation, a lot of this innovation is happening together collaboratively with Facebook, with Uber who are members of the foundation with us. Securonix, we look forward to making a part of that foundation. And that innovation together can then benefit the entire community as well as the customer base. This includes better performance with more capabilities built in, caching and many other different types of database innovations, as well as scaling, auto scaling and keeping up with this ease of use theme that we're building on. So very exciting to work together with all these companies, as well as Securonix who's been a fantastic partner. We work together, build features together, and I look at delivering those features and functionalities to be used by these analysts, data scientists and threat hunters as Derrick called them. >> Great success, great partnership. And I love the open innovation, open co-creation you guys are doing together and open data lakes, great concept, open data analytics as well. This is the future. Insights coming from the open and sharing and actually having some standards. I love this topic, so Dipti, thank you very much, and Derrick, thanks for coming on and sharing on this Cube Conversation. Thanks for coming on. >> Thank you so much, John. >> Thanks for having us. >> Thanks. Take care. Bye-bye. >> Okay, it's theCube Conversation here in Palo Alto, California. I'm John furrier, your host of theCube. Thanks for watching. (upbeat music)

(upbeat music) >> Hello and welcome today's session for the AWS Startup Showcase, the next big thing in AI, Security and Life Sciences featuring Coralogix for the AI track. I'm your host, John Furrier with theCUBE. We're here we're joined by Ariel Assaraf, CEO of Coralogix. Ariel, great to see you calling in from remotely, videoing in from Tel Aviv. Thanks for coming on theCUBE. >> Thank you very much, John. Great to be here. >> So you guys are features a hot next thing, start next big thing startup. And one of the things that you guys do we've been covering for many years is, you're into the log analytics, from a data perspective, you guys decouple the analytics from the storage. This is a unique thing. Tell us about it. What's the story? >> Yeah. So what we've seen in the market is that probably because of the great job that a lot of the earlier generation products have done, more and more companies see the value in log data, what used to be like a couple rows, that you add, whenever you have something very important to say, became a standard to document all communication between different components, infrastructure, network, monitoring, and the application layer, of course. And what happens is that data grows extremely fast, all data grows fast, but log data grows even faster. What we always say is that for sure data grows faster than revenue. So as fast as a company grows, its data is going to outpace that. And so we found ourselves thinking, how can we help companies be able to still get the full coverage they want without cherry picking data or deciding exactly what they want to monitor and what they're taking risk with. But still give them the real time analysis that they need to make sure that they get the full insight suite for the entire data, wherever it comes from. And that's why we decided to decouple the analytics layer from storage. So instead of ingesting the data, then indexing and storing it, and then analyzing the stored data, we analyze everything, and then we only store it matters. So we go from the insights backwards. That allowed us to reduce the amount of data, reduce the digital exhaust that it creates, and also provide better insights. So the idea is that as this world of data scales, the need for real time streaming analytics is going to increase. >> So what's interesting is we've seen this decoupling with storage and compute be a great success formula and cloud scale, for instance, that's a known best practice. You're taking a little bit different. I love how you're coming backwards from it, you're working backwards from the insights, almost doing some intelligence on the front end of the data, probably sees a lot of storage costs. But I want to get specifically back to this real time. How do you do that? And how did you come up with this? What's the vision? How did you guys come up with the idea? What was the magic light bulb that went off for Coralogix? >> Yes, the Coralogix story is very interesting. Actually, it was no light bulb, it was a road of pain for years and years, we started by just you know, doing the same, maybe faster, a couple more features. And it didn't work out too well. The first few years, the company were not very successful. And we've grown tremendously in the past three years, almost 100X, since we've launched this, and it came from a pain. So once we started scaling, we saw that the side effects of accessing the storage for analytics, the latency it creates, the the dependency on schema, the price that it poses on our customers became unbearable. And then we started thinking, so okay, how do we get the same level of insights, because there's this perception in the world of storage. And now it started to happen in analytics, also, that talks about tiers. So you want to get a great experience, you pay a lot, you want to get a less than great experience, you pay less, it's a lower tier. And we decided that we're looking for a way to give the same level of real time analytics and the same level of insights. Only without the issue of dependencies, decoupling all the storage schema issues and latency. And we built our real time pipeline, we call it Streama. Streama is a Coralogix real time analysis platform that analyzes everything in real time, also the stateful thing. So stateless analytics in real time is something that's been done in the past and it always worked well. The issue is, how do you give a stateful insight on data that you analyze in real time without storing and I'll explain how can you tell that a certain issue happened that did not happen in the past three months if you did not store the past three months? Or how can you tell that behavior is abnormal if you did not store what's normal, you did not store to state. So we created what we call the state store that holds the state of the system, the state of data, were a snapshot on that state for the entire history. And then instead of our state being the storage, so you know, you asked me, how is this compared to last week? Instead of me going to the storage and compare last week, I go to the state store, and you know, like a record bag, I just scroll fast, I find out one piece of state. And I say, okay, this is how it looked like last week, compared to this week, it changed in ABC. And once we started doing that we on boarded more and more services to that model. And our customers came in and say, hey, you're doing everything in real time. We don't need more than that. Yeah, like a very small portion of data, we actually need to store and frequently search, how about you guys fit into our use cases, and not just sell on quota? And we decided to basically allow our customers to choose what is the use case that they have, and route the data through different use cases. And then each log records, each log record stops at the relevant stops in our data pipeline based on the use case. So just like you wouldn't walk into the supermarket, you fill in a bag, you go out, they weigh it and they say, you know, it's two kilograms, you pay this amount, because different products have different costs and different meaning to you. That same way, exactly, We analyze the data in real time. So we know the importance of data, and we allow you to route it based on your use case and pay a different amount per use case. >> So this is really interesting. So essentially, you guys, essentially capture insights and store those, you call them states, and then not have to go through the data. So it's like you're eliminating the old problem of, you know, going back to the index and recovering the data to get the insights, did we have that? So anyway, it's a round trip query, if you will, you guys are start saving all that data mining cost and time. >> We call it node zero side effects, that round trip that you that you described is exactly it, no side effects to an analysis that is done in real time. I don't need to get the latency from the storage, a bit of latency from the database that holds the model, a bit of latency from the cache, everything stays in memory, everything stays in stream. >> And so basically, it's like the definition of insanity, doing the same thing over and over again and expecting a different result. Here, that's kind of what that is, the old model of insight is go query the database and get something back, you're actually doing the real time filtering on the front end, capturing the insights, if you will, storing those and replicating that as use case. Is that right? >> Exactly. But then, you know, there's still the issue of customer saying, yeah, but I need that data. Someday, I need to really frequently search, I don't know, you know, the unknown unknowns, or some of the day I need for compliance, and I need an immutable record that stays in my compliance bucket forever. So we allowed customers, we have this some that screen, we call the TCO optimizer, that allows them to define those use cases. And they can always access the data by creating their remote storage from Coralogix, or carrying the hot data that is stored with Coralogix. So it's all about use cases. And it's all about how you consume the data because it doesn't make sense for me to pay the same amount or give the same amount of attention to a record that is completely useless. It's just there for the record or for a compliance audit, that may or may not happen in the future. And, you know, do the same with the most critical exception in my application log that has immediate business impact. >> What's really good too, is you can actually set some policy up if you want a certain use cases, okay, store that data. So it's not to say you don't want to store it, but you might want to store it on certain use cases. So I can see that. So I got to ask the question. So how does this differ from the competition? How do you guys compete? Take us through a use case of a customer? How do you guys go to the customer and you just say, hey, we got so much scar tissue from this, we learned the hard way, take it from us? How does it go? Take us through an example. >> So an interesting example of actually a company that is not the your typical early adopter, let's call it this way. A very advanced in technology and smart company, but a huge one, one of the largest telecommunications company in India. And they were actually cherry picking about 100 gigs of data per day, and sending it to one of the legacy providers which has a great solution that does give value. But they weren't even thinking about sending their entire data set because of cost because of scale, because of, you know, just a clutter. Whenever you search, you have to sift through millions of records that many of them are not that important. And we help them actually ask analyze their data and work with them to understand these guys had over a terabyte of data that had incredible insights, it was like a goldmine of insights. But now you just needed to prioritize it by their use case, and they went from 100 gig with the other legacy solution to a terabyte, at almost the same cost, with more advanced insights within one week, which isn't in that scale of an organization is something that is is out of the ordinary, took them four months to implement the other product. But now, when you go from the insights backwards, you understand your data before you have to store it, you understand the data before you have to analyze it, or before you have to manually sift through it. So if you ask about the difference, it's all about the architecture. We analyze and only then index instead of indexing and then analyzing. It sounds simple. But of course, when you look at this stateful analytics, it's a lot more, a lot more complex. >> Take me through your growth story, because first of all, I'll get back to the secret sauce in the same way. I want to get back to how you guys got here. (indistinct) you had this problem? You kind of broke through, you hit the magic formula, talking about the growth? Where's the growth coming from? And what's the real impact? What's the situation relative to the company's growth? >> Yeah, so we had a first rough three years that I kind of mentioned, and then I was not the CEO at the beginning, I'm one of the co founders. I'm more of the technical guy, was the product manager. And I became CEO after the company was kind of on the verge of closing at the end of 2017. And the CTO left the CEO left, the VP of R&D became the CTO, I became the CEO, we were five people with $200,000 in the bank that you know, you know that that's not a long runway. And we kind of changed attitudes. So we kind of, so we first we launched this product, and then we understood that we need to go bottoms up, you can go to enterprises and try to sell something that is out of the ordinary, or that changes how they're used to working or just, you know, sell something, (indistinct) five people will do under $1,000 in the bank. So we started going from bottoms up, and the earlier adopters. And it's still until today, you know, the the more advanced companies, the more advanced teams. This is our Gartner friend Coralogix, the preferred solution for Advanced, DevOps and Platform Teams. So they started adopting Coralogix, and then it grew to the larger organization, and they were actually pushing, there are champions within their organizations. And ever since. So until the beginning of 2018, we raised about $2 million and had sales or marginal. Today, we have over 1500, pink accounts, and we raised almost $100 million more. >> Wow, what a great pivot. That was great example of kind of getting the right wave here, cloud wave. You said in terms of customers, you had the DevOps kind of (indistinct) initially. And now you said expanded out to a lot more traditional enterprise, you can take me through the customer profile. >> Yeah, so I'd say it's still the core would be cloud native and (indistinct) companies. These are typical ones, we have very tight integration with AWS, all the services, all the integrations required, we know how to read and write back to the different services and analysis platforms in AWS. Also for Asia and GCP, but mostly AWS. And then we do have quite a few big enterprise accounts, actually, five of the largest 50 companies in the world use Coralogix today. And it grew from those DevOps and platform evangelists into the level of IT, execs and even (indistinct). So today, we have our security product that already sells to some of the biggest companies in the world, it's a different profile. And the idea for us is that, you know, once you solve that issue of too much data, too expensive, not proactive enough, too couple with the storage, you can actually expand that from observability logging metrics, now into tracing and then into security and maybe even to other fields, where the cost and the productivity are an issue for many companies. >> So let me ask you this question, then Ariel, if you don't mind. So if a customer has a need for Coralogix, is it because the data fall? Or they just got data kind of sprawled all over the place? Or is it that storage costs are going up on S3 or what's some of the signaling that you would see, that would be like, telling you, okay, okay, what's the opportunity to come in and either clean house or fix the mess or whatnot, Take us through what you see. What do you see is the trend? >> Yeah. So like the tip customer (indistinct) Coralogix will be someone using one of the legacy solution and growing very fast. That's the easiest way for us to know. >> What grows fast? The storage, the storage is growing fast? >> The company is growing fast. >> Okay. And you remember, the data grows faster than revenue. And we know that. So if I see a company that grew from, you know, 50 people to 500, in three years, specifically, if it's cloud native or internet company, I know that their data grew not 10X, but 100X. So I know that that company that might started with a legacy solution at like, you know, $1,000 a month, and they're happy with it. And you know, for $1,000 a month, if you don't have a lot of data, those legacy solutions, you know, they'll do the trick. But now I know that they're going to get asked to pay 50, 60, $70,000 a month. And this is exactly where we kick in. Because now, when it doesn't fit the economic model, when it doesn't fit the unit economics, and he started damaging the margins of those companies. Because remember, those internet and cloud companies, it's not costs are not the classic costs that you'll see in an enterprise, they're actually damaging your unit economics and the valuation of the business, the bigger deal. So now, when I see that type of organization, we come in and say, hey, better coverage, more advanced analytics, easier integration within your organization, we support all the common open source syntaxes, and dashboards, you can plug it into your entire environment, and the costs are going to be a quarter of whatever you're paying today. So once they see that they see, you know, the Dev friendliness of the product, the ease of scale, the stability of the product, it makes a lot more sense for them to engage in a PLC, because at the end of the day, if you don't prove value, you know, you can come with 90% discount, it doesn't do anything, not to prove the value to them. So it's a great door opener. But from then on, you know, it's a PLC like any other. >> Cloud is all about the PLC or pilot, as they say. So take me through the product, today, and what's next for the product, take us through the vision of the product and the product strategy. >> Yeah, so today, the product allows you to send any log data, metric data or security information, analyze it a million ways, we have one of the most extensive alerting mechanism to market, automatic anomaly detection, data flustering. And all the real law, you know, the real time pipeline, things that help companies make their data smarter, and more readable, parsing, enriching, getting external sources to enrich the data, and so on, so forth. Where we're stepping in now is actually to make the final step of decoupling the analytics from storage, what we call the datalist data platform in which no data will sit or reside within the Coralogix cloud, everything will be analyzed in real time, stored in a storage of choice of our customers, then we'll allow our customers to remotely query that incredible performance. So that'll bring our customers away, to have the first ever true SaaS experience for observability. Think about no quota plans, no retention, you send whatever you want, you pay only for what you send, you retain it, how long you want to retain it, and you get all the real time insights much, much faster than any other product that keeps it on a hot storage. So that'll be our next step to really make sure that, you know, we're kind of not reselling cloud storage, because a lot of the times when you are dependent on storage, and you know, we're a cloud company, like I mentioned, you got to keep your unit economics. So what do you do? You sell storage to the customer, you add your markup, and then you you charge for it. And this is exactly where we don't want to be. We want to sell the intelligence and the insights and the real time analysis that we know how to do and let the customers enjoy the, you know, the wealth of opportunities and choices their cloud providers offer for storage. >> That's great vision in a way, the hyper scalars early days showed that decoupling compute from storage, which I mentioned earlier, was a huge category creation. Here, you're doing it for data. We call hyper data scale, or like, maybe there's got to be a name for this. What do you see, about five years from now? Take us through the trajectory of the next five years, because certainly observability is not going away. I mean, it's data management, monitoring, real time, asynchronous, synchronous, linear, all the stuffs happening, what's the what's the five year vision? >> Now add security and observability, which is something we started preaching for, because no one can say I have observability to my environment when people you know, come in and out and steal data. That's no observability. But the thing is that because data grows exponentially, because it grows faster than revenue what we believe is that in five years, there's not going to be a choice, everyone are going to have to analyze the data in real time. Extract the insights and then decide whether to store it on a you know long term archive or not, or not store it at all. You still want to get the full coverage and insights. But you know, when you think about observability, unlike many other things, the more data you have many times, the less observability you get. So you think of log data unlike statistics, if my system was only in recording everything was only generating 10 records a day, I have full, incredible observability I know everything that I've done. what happens is that you pay more, you get less observability, and more uncertainty. So I think that you know, with time, we'll start seeing more and more real time streaming analytics, and a lot less storage based and index based solutions. >> You know, Ariel, I've always been saying to Dave Vellante on theCUBE, many times that there needs to be insights as to be the norm, not the exception, where, and then ultimately, it would be a database of insights. I mean, at the end of the day, the insights become more plentiful. You have the ability to actually store those insights, and refresh them and challenge them and model update them, verify them, either sunset them or add to them or you know, saying that's like, when you start getting more data into your organization, AI and machine learning prove that pattern recognition works. So why not grab those insights? >> And use them as your baseline to know what's important, and not have to start by putting everything in a bucket. >> So we're going to have new categories like insight, first, software (indistinct) >> Go from insights backwards, that'll be my tagline, if I have to, but I'm a terrible marketing (indistinct). >> Yeah, well, I mean, everyone's like cloud, first data, data is data driven, insight driven, what you're basically doing is you're moving into the world of insights driven analytics, really, as a way to kind of bring that forward. So congratulations. Great story. I love the pivot love how you guys entrepreneurially put it all together and had the problem your own problem and brought it out and to the to the rest of the world. And certainly DevOps in the cloud scale wave is just getting bigger and bigger and taking over the enterprise. So great stuff. Real quick while you're here. Give a quick plug for the company. What you guys are up to, stats, vitals, hiring, what's new, give the commercial. >> Yeah, so like mentioned over 1500 being customers growing incredibly in the past 24 months, hiring, almost doubling the company in the next few months. offices in Israel, East Center, West US, and UK and Mumbai. Looking for talented engineers to join the journey and build the next generation of data lists data platforms. >> Ariel Assaraf, CEO of Coralogix. Great to have you on theCUBE and thank you for participating in the AI track for our next big thing in the Startup Showcase. Thanks for coming on. >> Thank you very much John, really enjoyed it. >> Okay, I'm John Furrier with theCUBE. Thank you for watching the AWS Startup Showcase presented by theCUBE. (calm music)

>> From theCUBE studios in Palo Alto, in Boston bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante >> The latest Arm Neoverse announcement further cements our opinion that it's architecture business model and ecosystem execution are defining a new era of computing and leaving Intel in it's dust. We believe the company and its partners have at least a two year lead on Intel and are currently in a far better position to capitalize on a major waves that are driving the technology industry and its innovation. To compete our view is that Intel needs a new strategy. Now, Pat Gelsinger is bringing that but they also need financial support from the US and the EU governments. Pat Gelsinger was just noted as asking or requesting from the EU government $9 billion, sorry, 8 billion euros in financial support. And very importantly, Intel needs a volume for its new Foundry business. And that is where Apple could be a key. Hello, everyone. And welcome to this week's weekly bond Cube insights powered by ETR. In this breaking analysis will explain why Apple could be the key to saving Intel and America's semiconductor industry leadership. We'll also further explore our scenario of the evolution of computing and what will happen to Intel if it can't catch up. Here's a hint it's not pretty. Let's start by looking at some of the key assumptions that we've made that are informing our scenarios. We've pointed out many times that we believe Arm wafer volumes are approaching 10 times those of x86 wafers. This means that manufacturers of Arm chips have a significant cost advantage over Intel. We've covered that extensively, but we repeat it because when we see news reports and analysis and print it's not a factor that anybody's highlighting. And this is probably the most important issue that Intel faces. And it's why we feel that Apple could be Intel's savior. We'll come back to that. We've projected that the chip shortage will last no less than three years, perhaps even longer. As we reported in a recent breaking analysis. Well, Moore's law is waning. The result of Moore's law, I.e the doubling of processor performance every 18 to 24 months is actually accelerating. We've observed and continue to project a quadrupling of performance every two years, breaking historical norms. Arm is attacking the enterprise and the data center. We see hyperscalers as the tip of their entry spear. AWS's graviton chip is the best example. Amazon and other cloud vendors that have engineering and software capabilities are making Arm-based chips capable of running general purpose applications. This is a huge threat to x86. And if Intel doesn't quickly we believe Arm will gain a 50% share of an enterprise semiconductor spend by 2030. We see the definition of Cloud expanding. Cloud is no longer a remote set of services, in the cloud, rather it's expanding to the edge where the edge could be a data center, a data closet, or a true edge device or system. And Arm is by far in our view in the best position to support the new workloads and computing models that are emerging as a result. Finally geopolitical forces are at play here. We believe the U S government will do, or at least should do everything possible to ensure that Intel and the U S chip industry regain its leadership position in the semiconductor business. If they don't the U S and Intel could fade to irrelevance. Let's look at this last point and make some comments on that. Here's a map of the South China sea in a way off in the Pacific we've superimposed a little pie chart. And we asked ourselves if you had a hundred points of strategic value to allocate, how much would you put in the semiconductor manufacturing bucket and how much would go to design? And our conclusion was 50, 50. Now it used to be because of Intel's dominance with x86 and its volume that the United States was number one in both strategic areas. But today that orange slice of the pie is dominated by TSMC. Thanks to Arm volumes. Now we've reported extensively on this and we don't want to dwell on it for too long but on all accounts cost, technology, volume. TSMC is the clear leader here. China's president Xi has a stated goal of unifying Taiwan by China's Centennial in 2049, will this tiny Island nation which dominates a critical part of the strategic semiconductor pie, go the way of Hong Kong and be subsumed into China. Well, military experts say it was very hard for China to take Taiwan by force, without heavy losses and some serious international repercussions. The US's military presence in the Philippines and Okinawa and Guam combined with support from Japan and South Korea would make it even more difficult. And certainly the Taiwanese people you would think would prefer their independence. But Taiwanese leadership, it ebbs and flows between those hardliners who really want to separate and want independence and those that are more sympathetic to China. Could China for example, use cyber warfare to over time control the narrative in Taiwan. Remember if you control the narrative you can control the meme. If you can crawl the meme you control the idea. If you control the idea, you control the belief system. And if you control the belief system you control the population without firing a shot. So is it possible that over the next 25 years China could weaponize propaganda and social media to reach its objectives with Taiwan? Maybe it's a long shot but if you're a senior strategist in the U S government would you want to leave that to chance? We don't think so. Let's park that for now and double click on one of our key findings. And that is the pace of semiconductor performance gains. As we first reported a few weeks ago. Well, Moore's law is moderating the outlook for cheap dense and efficient processing power has never been better. This slideshows two simple log lines. One is the traditional Moore's law curve. That's the one at the bottom. And the other is the current pace of system performance improvement that we're seeing measured in trillions of operations per second. Now, if you calculate the historical annual rate of processor performance improvement that we saw with x86, the math comes out to around 40% improvement per year. Now that rate is slowing. It's now down to around 30% annually. So we're not quite doubling every 24 months anymore with x86 and that's why people say Moore's law is dead. But if you look at the (indistinct) effects of packaging CPU's, GPU's, NPUs accelerators, DSPs and all the alternative processing power you can find in SOC system on chip and eventually system on package it's growing at more than a hundred percent per annum. And this means that the processing power is now quadrupling every 24 months. That's impressive. And the reason we're here is Arm. Arm has redefined the core process of model for a new era of computing. Arm made an announcement last week which really recycle some old content from last September, but it also put forth new proof points on adoption and performance. Arm laid out three components and its announcement. The first was Neoverse version one which is all about extending vector performance. This is critical for high performance computing HPC which at one point you thought that was a niche but it is the AI platform. AI workloads are not a niche. Second Arm announced the Neoverse and two platform based on the recently introduced Arm V9. We talked about that a lot in one of our earlier Breaking Analysis. This is going to performance boost of around 40%. Now the third was, it was called CMN-700 Arm maybe needs to work on some of its names, but Arm said this is the industry's most advanced mesh interconnect. This is the glue for the V1 and the N2 platforms. The importance is it allows for more efficient use and sharing of memory resources across components of the system package. We talked about this extensively in previous episodes the importance of that capability. Now let's share with you this wheel diagram underscores the completeness of the Arm platform. Arms approach is to enable flexibility across an open ecosystem, allowing for value add at many levels. Arm has built the architecture in design and allows an open ecosystem to provide the value added software. Now, very importantly, Arm has created the standards and specifications by which they can with certainty, certify that the Foundry can make the chips to a high quality standard, and importantly that all the applications are going to run properly. In other words, if you design an application, it will work across the ecosystem and maintain backwards compatibility with previous generations, like Intel has done for years but Arm as we'll see next is positioning not only for existing workloads but also the emerging high growth applications. To (indistinct) here's the Arm total available market as we see it, we think the end market spending value of just the chips going into these areas is $600 billion today. And it's going to grow to 1 trillion by 2030. In other words, we're allocating the value of the end market spend in these sectors to the marked up value of the Silicon as a percentage of the total spend. It's enormous. So the big areas are Hyperscale Clouds which we think is around 20% of this TAM and the HPC and AI workloads, which account for about 35% and the Edge will ultimately be the largest of all probably capturing 45%. And these are rough estimates and they'll ebb and flow and there's obviously some overlap but the bottom line is the market is huge and growing very rapidly. And you see that little red highlighted area that's enterprise IT. Traditional IT and that's the x86 market in context. So it's relatively small. What's happening is we're seeing a number of traditional IT vendors, packaging x86 boxes throwing them over the fence and saying, we're going after the Edge. And what they're doing is saying, okay the edge is this aggregation point for all these end point devices. We think the real opportunity at the Edge is for AI inferencing. That, that is where most of the activity and most of the spending is going to be. And we think Arm is going to dominate that market. And this brings up another challenge for Intel. So we've made the point a zillion times that PC volumes peaked in 2011. And we saw that as problematic for Intel for the cost reasons that we've beat into your head. And lo and behold PC volumes, they actually grew last year thanks to COVID and we'll continue to grow it seems for a year or so. Here's some ETR data that underscores that fact. This chart shows the net score. Remember that's spending momentum it's the breakdown for Dell's laptop business. The green means spending is accelerating and the red is decelerating. And the blue line is net score that spending momentum. And the trend is up and to the right now, as we've said this is great news for Dell and HP and Lenovo and Apple for its laptops, all the laptops sellers but it's not necessarily great news for Intel. Why? I mean, it's okay. But what it does is it shifts Intel's product mix toward lower margin, PC chips and it squeezes Intel's gross margins. So the CFO has to explain that margin contraction to wall street. Imagine that the business that got Intel to its monopoly status is growing faster than the high margin server business. And that's pulling margins down. So as we said, Intel is fighting a war on multiple fronts. It's battling AMD in the core x86 business both PCs and servers. It's watching Arm mop up in mobile. It's trying to figure out how to reinvent itself and change its culture to allow more flexibility into its designs. And it's spinning up a Foundry business to compete with TSMC. So it's got to fund all this while at the same time propping up at stock with buybacks Intel last summer announced that it was accelerating it's $10 billion stock buyback program, $10 billion. Buy stock back, or build a Foundry which do you think is more important for the future of Intel and the us semiconductor industry? So Intel, it's got to protect its past while building his future and placating wall street all at the same time. And here's where it gets even more dicey. Intel's got to protect its high-end x86 business. It is the cash cow and funds their operation. Who's Intel's biggest customer Dell, HP, Facebook, Google Amazon? Well, let's just say Amazon is a big customer. Can we agree on that? And we know AWS is biggest revenue generator is EC2. And EC2 was powered by microprocessors made from Intel and others. We found this slide in the Arm Neoverse deck and it caught our attention. The data comes from a data platform called lifter insights. The charts show, the rapid growth of AWS is graviton chips which are they're custom designed chips based on Arm of course. The blue is that graviton and the black vendor A presumably is Intel and the gray is assumed to be AMD. The eye popper is the 2020 pie chart. The instant deployments, nearly 50% are graviton. So if you're Pat Gelsinger, you better be all over AWS. You don't want to lose this customer and you're going to do everything in your power to keep them. But the trend is not your friend in this account. Now the story gets even gnarlier and here's the killer chart. It shows the ISV ecosystem platforms that run on graviton too, because AWS has such good engineering and controls its own stack. It can build Arm-based chips that run software designed to run on general purpose x86 systems. Yes, it's true. The ISV, they got to do some work, but large ISV they have a huge incentives because they want to ride the AWS wave. Certainly the user doesn't know or care but AWS cares because it's driving costs and energy consumption down and performance up. Lower cost, higher performance. Sounds like something Amazon wants to consistently deliver, right? And the ISV portfolio that runs on our base graviton and it's just going to continue to grow. And by the way, it's not just Amazon. It's Alibaba, it's Oracle, it's Marvell. It's 10 cents. The list keeps growing Arm, trotted out a number of names. And I would expect over time it's going to be Facebook and Google and Microsoft. If they're not, are you there? Now the last piece of the Arm architecture story that we want to share is the progress that they're making and compare that to x86. This chart shows how Arm is innovating and let's start with the first line under platform capabilities. Number of cores supported per die or, or system. Now die is what ends up as a chip on a small piece of Silicon. Think of the die as circuit diagram of the chip if you will, and these circuits they're fabricated on wafers using photo lithography. The wafers then cut up into many pieces each one, having a chip. Each of these pieces is the chip. And two chips make up a system. The key here is that Arm is quadrupling the number of cores instead of increasing thread counts. It's giving you cores. Cores are better than threads because threads are shared and cores are independent and much easier to virtualize. This is particularly important in situations where you want to be as efficient as possible sharing massive resources like the Cloud. Now, as you can see in the right hand side of the chart under the orange Arm is dramatically increasing the amount of capabilities compared to previous generations. And one of the other highlights to us is that last line that CCIX and CXL support again Arm maybe needs to name these better. These refer to Arms and memory sharing capabilities within and between processors. This allows CPU's GPU's NPS, et cetera to share resources very often efficiently especially compared to the way x86 works where everything is currently controlled by the x86 processor. CCIX and CXL support on the other hand will allow designers to program the system and share memory wherever they want within the system directly and not have to go through the overhead of a central processor, which owns the memory. So for example, if there's a CPU, GPU, NPU the CPU can say to the GPU, give me your results at a specified location and signal me when you're done. So when the GPU is finished calculating and sending the results, the GPU just signals the operation is complete. Versus having to ping the CPU constantly, which is overhead intensive. Now composability in that chart means the system it's a fixed. Rather you can programmatically change the characteristics of the system on the fly. For example, if the NPU is idle you can allocate more resources to other parts of the system. Now, Intel is doing this too in the future but we think Arm is way ahead. At least by two years this is also huge for Nvidia, which today relies on x86. A major problem for Nvidia has been coherent memory management because the utilization of its GPU is appallingly low and it can't be easily optimized. Last week, Nvidia announced it's intent to provide an AI capability for the data center without x86 I.e using Arm-based processors. So Nvidia another big Intel customer is also moving to Arm. And if it's successful acquiring Arm which is still a long shot this trend is only going to accelerate. But the bottom line is if Intel can't move fast enough to stem the momentum of Arm we believe Arm will capture 50% of the enterprise semiconductor spending by 2030. So how does Intel continue to lead? Well, it's not going to be easy. Remember we said, Intel, can't go it alone. And we posited that the company would have to initiate a joint venture structure. We propose a triumvirate of Intel, IBM with its power of 10 and memory aggregation and memory architecture And Samsung with its volume manufacturing expertise on the premise that it coveted in on US soil presence. Now upon further review we're not sure the Samsung is willing to give up and contribute its IP to this venture. It's put a lot of money and a lot of emphasis on infrastructure in South Korea. And furthermore, we're not convinced that Arvind Krishna who we believe ultimately made the call to Jettisons. Jettison IBM's micro electronics business wants to put his efforts back into manufacturing semi-conductors. So we have this conundrum. Intel is fighting AMD, which is already at seven nanometer. Intel has a fall behind in process manufacturing which is strategically important to the United States it's military and the nation's competitiveness. Intel's behind the curve on cost and architecture and is losing key customers in the most important market segments. And it's way behind on volume. The critical piece of the pie that nobody ever talks about. Intel must become more price and performance competitive with x86 and bring in new composable designs that maintain x86 competitive. And give the ability to allow customers and designers to add and customize GPU's, NPUs, accelerators et cetera. All while launching a successful Foundry business. So we think there's another possibility to this thought exercise. Apple is currently reliant on TSMC and is pushing them hard toward five nanometer, in fact sucking up a lot of that volume and TSMC is maybe not servicing some other customers as well as it's servicing Apple because it's a bit destructive, it is distracted and you have this chip shortage. So Apple because of its size gets the lion's share of the attention but Apple needs a trusted onshore supplier. Sure TSMC is adding manufacturing capacity in the US and Arizona. But back to our precarious scenario in the South China sea. Will the U S government and Apple sit back and hope for the best or will they hope for the best and plan for the worst? Let's face it. If China gains control of TSMC, it could block access to the latest and greatest process technology. Apple just announced that it's investing billions of dollars in semiconductor technology across the US. The US government is pressuring big tech. What about an Apple Intel joint venture? Apple brings the volume, it's Cloud, it's Cloud, sorry. It's money it's design leadership, all that to the table. And they could partner with Intel. It gives Intel the Foundry business and a guaranteed volume stream. And maybe the U S government gives Apple a little bit of breathing room and the whole big up big breakup, big tech narrative. And even though it's not necessarily specifically targeting Apple but maybe the US government needs to think twice before it attacks big tech and thinks about the long-term strategic ramifications. Wouldn't that be ironic? Apple dumps Intel in favor of Arm for the M1 and then incubates, and essentially saves Intel with a pipeline of Foundry business. Now back to IBM in this scenario, we've put a question mark on the slide because maybe IBM just gets in the way and why not? A nice clean partnership between Intel and Apple? Who knows? Maybe Gelsinger can even negotiate this without giving up any equity to Apple, but Apple could be a key ingredient to a cocktail of a new strategy under Pat Gelsinger leadership. Gobs of cash from the US and EU governments and volume from Apple. Wow, still a long shot, but one worth pursuing because as we've written, Intel is too strategic to fail. Okay, well, what do you think? You can DM me @dvellante or email me at david.vellante@siliconangle.com or comment on my LinkedIn post. Remember, these episodes are all available as podcasts so please subscribe wherever you listen. I publish weekly on wikibon.com and siliconangle.com. And don't forget to check out etr.plus for all the survey analysis. And I want to thank my colleague, David Floyer for his collaboration on this and other related episodes. This is Dave Vellante for theCUBE insights powered by ETR. Thanks for watching, be well, and we'll see you next time. (upbeat music)

>>From around the globe with digital coverage of AWS reinvent 2020, sponsored by Intel and AWS welcome everyone to the cube live and our coverage of AWS reinvent 2020. I'm your host Rebecca Knight. Today we are joined by Andre due for, he is the general manager of Amazon location service. Thank you so much for coming on the show. Andre. >>Thanks so much, Rebecca. It's a pleasure. >>So Amazon, AWS is announcing a Amazon location service in preview. Tell us a little bit more about what it does. What was the impetus for it? >>Of course. Well, Amazon location service is a new geospatial service that makes it easy for customers on AWS to integrate location information into their applications. And when I say location information, I mean a couple of specific things, mops points of interest places, and geocodes from trusted global high quality data partners. And one of the things that's really cool about Amazon location is we enable customers to access this high-quality data in a way that's incredibly cost effective. It's up to 10 times cheaper than some of the alternatives. And so what that means for customers is they can bring to life use cases that previously would have been inconceivable because they just weren't cost effective. Additionally, Amazon location takes privacy very seriously. And so, you know, customers have told us many times that they're, they're, they're very concerned about their location information, leaving their control. Whereas with Amazon location, we keep customer's location data in their AWS account unless they decide otherwise. And finally, what we've seen with customers who are using Amazon location is they're able to move from experimentation with location ideas, to scale production, much more quickly than they otherwise could have because it's a native AWS service. So we're so excited to be announcing this >>Well, you just mentioned cost privacy scale production, three things that are definitely on customers' minds right now. Tell us a little bit more about these use cases. How are customers using it? >>Yeah, that's a great question. I think it's often easiest to understand the capabilities through the lens of a use case. Now it turns out location in, in more and more customer conversations is pervasive across a bunch of different use cases, but I'll touch on maybe just for today. So one thing that we're seeing customers commonly using location for is location-based customer engagement. And so what that means is including a location component, when you are reaching out to your customers with timely offers. So for example, when they're in close proximity to one of your retail locations, sending them an offer tends to increase their satisfaction and their conversion an additional use case that Springs to mind immediately in many of the conversations is using maps for striking visualizations of data, either showing a route between two points or dropping location pins on a map in order to enhance the visual understanding of subject matter. >>Additionally, customers tend to use Amazon location for asset tracking. They want to know where their things are in the world and be able to reason over that both in real time in order to make decisions or retrospectively in order to optimize or to audit. And additionally, um, customers also use us in end to end delivery use cases, be it last mile delivery for, uh, goods that were ordered online or, uh, food delivery, which of course is, uh, increasingly prevalent these days. And so, yeah, you know, one of the customer examples that I think is especially compelling here because it touches on a couple of these is a company called Singleton solutions and their product is called mobile log. Uh, it's effectively last mile as a service in the cloud. And what it lets customers do is manage the logistics of a delivery business. And so what mobile log and Singleton have been able to do is retire a lot of the custom code that they had built because nothing was really available to meet their location needs. They were able to consolidate their location infrastructure from multiple clouds onto just AWS, which simplifies their solution. They were able to move more quickly as they innovate on behalf of their customers. And they managed to reduce their costs while doing this by up to 60%. So I think it's a pretty cool example of what location can do for customers. >>What are some other industries and apps and applications that would benefit most from this affordable location data? >>Yeah, well, it's, uh, it tends to spend many different industries. So we're seeing a lot of uses as you can imagine in transportation and logistics and, and certainly that's, uh, an industry that's growing very quickly, um, government and public sector attempt to have a need to, uh, visualize a lot of information, uh, on, on maps. Um, we are seeing retail and folks interested in customer engagement. Um, it really is springing up everywhere and often B uh, the conversations kind of have a location component in disguise. For example, we were talking to a telecom service provider who is telling us, well, you know, I can save billions of dollars if I increase the efficiency of my truck rolls. Well, that's the location use case, right? If people are talking about, uh, actually one, one customer, uh, or a person who has used us in beta is post NL, and they're telling us, you know, if they can increase just the, um, loading factor of their trucks by 1%, uh, in, uh, over time, this is big dollar savings for them. And not, that's all about location and about optimizing, uh, the, the routing and dispatch of their vehicles. And so really it's springing up everywhere, but it doesn't always sound like a map or a geocode it's, uh, more of these business level considerations around optimization around moving faster and around serving customers more quickly. >>You mentioned a couple of, of industries and logistics areas where this is being used. What are, which customers are currently using Amazon location service? >>Well, so there are a couple that I, uh, I mentioned, so of course we're only just launching today. We've had a beta program, uh, and we have a couple of references that we can talk about publicly. So Singleton is the very first that we touched on, and this is a company that's operative in the delivery and, uh, dispatch logistics space. And so they they've been using us to, to advantage and, and have realized some pretty significant cost savings. Uh, the other company that's been, uh, experimenting with Amazon location, uh, again in sort of a similar space, but with a different geography is posted on owl. And so they're the number one, uh, e-commerce and delivery, uh, her postal logistics company in the Netherlands. And what, what they're actually using us for is to, uh, do asset tracking on their delivery roller cages in order to, uh, understand where they are in the world and make better decisions as to where they should be in relation to the demand. >>Andre, I want you to close this out here. And as you said, you launched today, you've been in beta, what is in store for 2021 with Amazon location service? What can, what can we expect? What can customers expect? >>Yeah, so we're, we're in preview today and it's an open preview, so people can, can just go to the console and directly use it. You don't need to sign up. And what we have to look forward to in the first part of 2021 is general availability of the service. And you can imagine that we'll be rolling that out over everyone regions, because there's significant demand for this all over the world. And then it's a fairly typical, uh, AWS motion where what we're going to do is listen, because 90% of our roadmap is compelled by customer requests. And so we'll be very attentive to how people are using the service, where they see additional opportunities for us to serve them better. And we will move with vigor on those. >>Great. And for customers who want to find out more, what, what should they do? >>Well, the easiest thing to do is to go to aws.amazon.com/location, and then, uh, check, check us out there and get started with the service today. >>Great, well, Andre do for, thank you so much for coming on the Cuba really interesting conversation. >>Thank you so much. It's been a privilege. >>I'm Rebecca Knight stay tuned for more of the cubes coverage of AWS reinvent 2020.

>>From around the globe with digital coverage of AWS reinvent 2020, sponsored by Intel and AWS welcome everyone to the cube live and our coverage of AWS reinvent 2020. I'm your host Rebecca Knight. Today we are joined by Andre due for, he is the general manager of Amazon location service. Thank you so much for coming on the show. Andre. >>Thanks so much, Rebecca. It's a pleasure. >>So Amazon, AWS is announcing a Amazon location service in preview. Tell us a little bit more about what it does. What was the impetus for it? >>Of course. Well, Amazon location service is a new geospatial service that makes it easy for customers on AWS to integrate location information into their applications. And when I say location information, I mean a couple of specific things, mops points of interest places, and geocodes from trusted global high quality data partners. And one of the things that's really cool about Amazon location is we enable customers to access this high-quality data in a way that's incredibly cost effective. It's up to 10 times cheaper than some of the alternatives. And so what that means for customers is they can bring to life use cases that previously would have been inconceivable because they just weren't cost effective. Additionally, Amazon location takes privacy very seriously. And so, you know, customers have told us many times that they're, they're, they're very concerned about their location information, leaving their control. Whereas with Amazon location, we keep customer's location data in their AWS account unless they decide otherwise. And finally, what we've seen with customers who are using Amazon location is they're able to move from experimentation with location ideas, to scale production, much more quickly than they otherwise could have because it's a native AWS service. So we're so excited to be announcing this >>Well, you just mentioned cost privacy scale production, three things that are definitely on customers' minds right now. Tell us a little bit more about these use cases. How are customers using it? >>Yeah, that's a great question. I think it's often easiest to understand the capabilities through the lens of a use case. Now it turns out location in, in more and more customer conversations is pervasive across a bunch of different use cases, but I'll touch on maybe just for today. So one thing that we're seeing customers commonly using location for is location-based customer engagement. And so what that means is including a location component, when you are reaching out to your customers with timely offers. So for example, when they're in close proximity to one of your retail locations, sending them an offer tends to increase their satisfaction and their conversion an additional use case that Springs to mind immediately in many of the conversations is using maps for striking visualizations of data, either showing a route between two points or dropping location pins on a map in order to enhance the visual understanding of subject matter. >>Additionally, customers tend to use Amazon location for asset tracking. They want to know where their things are in the world and be able to reason over that both in real time in order to make decisions or retrospectively in order to optimize or to audit. And additionally, um, customers also use us in end to end delivery use cases, be it last mile delivery for, uh, goods that were ordered online or, uh, food delivery, which of course is, uh, increasingly prevalent these days. And so, yeah, you know, one of the customer examples that I think is especially compelling here because it touches on a couple of these is a company called Singleton solutions and their product is called mobile log. Uh, it's effectively last mile as a service in the cloud. And what it lets customers do is manage the logistics of a delivery business. And so what mobile log and Singleton have been able to do is retire a lot of the custom code that they had built because nothing was really available to meet their location needs. They were able to consolidate their location infrastructure from multiple clouds onto just AWS, which simplifies their solution. They were able to move more quickly as they innovate on behalf of their customers. And they managed to reduce their costs while doing this by up to 60%. So I think it's a pretty cool example of what location can do for customers. >>What are some other industries and apps and applications that would benefit most from this affordable location data? >>Yeah, well, it's, uh, it tends to spend many different industries. So we're seeing a lot of uses as you can imagine in transportation and logistics and, and certainly that's, uh, an industry that's growing very quickly, um, government and public sector attempt to have a need to, uh, visualize a lot of information, uh, on, on maps. Um, we are seeing retail and folks interested in customer engagement. Um, it really is springing up everywhere and often B uh, the conversations kind of have a location component in disguise. For example, we were talking to a telecom service provider who is telling us, well, you know, I can save billions of dollars if I increase the efficiency of my truck rolls. Well, that's the location use case, right? If people are talking about, uh, actually one, one customer, uh, or a person who has used us in beta is post NL, and they're telling us, you know, if they can increase just the, um, loading factor of their trucks by 1%, uh, in, uh, over time, this is big dollar savings for them. And not, that's all about location and about optimizing, uh, the, the routing and dispatch of their vehicles. And so really it's springing up everywhere, but it doesn't always sound like a map or a geocode it's, uh, more of these business level considerations around optimization around moving faster and around serving customers more quickly. >>You mentioned a couple of, of industries and logistics areas where this is being used. What are, which customers are currently using Amazon location service? >>Well, so there are a couple that I, uh, I mentioned, so of course we're only just launching today. We've had a beta program, uh, and we have a couple of references that we can talk about publicly. So Singleton is the very first that we touched on, and this is a company that's operative in the delivery and, uh, dispatch logistics space. And so they they've been using us to, to advantage and, and have realized some pretty significant cost savings. Uh, the other company that's been, uh, experimenting with Amazon location, uh, again in sort of a similar space, but with a different geography is posted on owl. And so they're the number one, uh, e-commerce and delivery, uh, her postal logistics company in the Netherlands. And what, what they're actually using us for is to, uh, do asset tracking on their delivery roller cages in order to, uh, understand where they are in the world and make better decisions as to where they should be in relation to the demand. >>Andre, I want you to close this out here. And as you said, you launched today, you've been in beta, what is in store for 2021 with Amazon location service? What can, what can we expect? What can customers expect? >>Yeah, so we're, we're in preview today and it's an open preview, so people can, can just go to the console and directly use it. You don't need to sign up. And what we have to look forward to in the first part of 2021 is general availability of the service. And you can imagine that we'll be rolling that out over everyone regions, because there's significant demand for this all over the world. And then it's a fairly typical, uh, AWS motion where what we're going to do is listen, because 90% of our roadmap is compelled by customer requests. And so we'll be very attentive to how people are using the service, where they see additional opportunities for us to serve them better. And we will move with vigor on those. >>Great. And for customers who want to find out more, what, what should they do? >>Well, the easiest thing to do is to go to aws.amazon.com/location, and then, uh, check, check us out there and get started with the service today. >>Great, well, Andre do for, thank you so much for coming on the Cuba really interesting conversation. >>Thank you so much. It's been a privilege. >>I'm Rebecca Knight stay tuned for more of the cubes coverage of AWS reinvent 2020.

>> Narrator: From around the globe it's theCUBE with digital coverage of AWS reinvent 2020. Sponsored by Intel, AWS and our community partners. >> All right, you're continuing coverage of AWS reinvent 2020 virtual event. We get the pleasure of covering this show like no other AWS reinvent. We are pulling in from the other side of the world Tomer Levy, CEO of Logz.io. First time Cuber so we're going to ease them into it but it's going to be a great conversation. I'm Keith Townsend at CTO advisor. Tomer, welcome to the show. >> Keith, thank you for having me. I'm super excited to be here. >> You know what? We love having founders here on theCUBE. We have a long history of having deep conversations with builders and we're probably the show for builders. AWS reinvent is virtual. However, I think the spirit of re-invent is highlighted in companies like this. We've seen a lot of observability companies sprout up around the industry. AWS is a big, big magnet for these types of solutions. What's the assets Logz.io and how are you guys differentiating yourselves in this crowded space? >> Yeah, absolutely Keith you see observability is so fundamental to building applications on AWS that as companies develop more applications, they have to have solid observability. And we have a mission and our mission is to enable develop engineers and any engineer out there to use open source to run their observability. So when we were developers we wanted to use open source but we had to compromise on a proprietary solution. We decided to build the company so engineers can use the observability tools they're already using for logging, for metrics, for tracing, Whatever they're already using we want to enable them to use that at scale on AWS. So it's easy to use, it's super smart and the data is coordinated. And I think fundamentally it's what we're doing very differently in the market. There is no other company in the market today that takes the best open sources and bring them together as one super strong platform and we're proud to be that company. >> Well, when you say there's no other company doing open source the way that you guys are doing it, that really intrigues me especially as we look at this from the angle of Cooper Netties, the CEO of the leading virtualization company called Kubernetes, the doubts home of the internet. How do you see the intersection of opensource observability in kubernetes especially in the public cloud? >> Yeah, for sure. People say that kubernetes is almost the operating system of the future and why do people use kubernetes? They use it to make sure they can run multiple microservices. They can take their application which used to be a monolith and put it in a distributed way. So it becomes so much harder to monitor or to troubleshoot even to secure applications. So the way we built Logz.io was really designed for companies that are moving into the cloud, companies moving into kubernetes, into microservices and by having logs and metrics and traces all work together through the best open sources. I think we can help customers really get the visibility and just accelerate the software delivery. Just provide better service to their customers. >> So Levy, walk me through that journey. What is it like for a developer to come from their traditional open source roots and enter the cloud where they're melding public cloud services in AWS alongside their tools that they're using in observability. How do you help ease that transition? >> Yeah, absolutely Keith because one of the main drivers for companies adopting tools like Logz.io is actually the migration to AWS. So imagine now migration to a new ground, what do you have to think about first? Do I have the glasses? Can I see what's going on? Like when I see what's going on, I feel more confident. So if I'm now using, let's call it elk or using the open-source Grafana or using tools like Jaeger, which are all open sources too that we offer as part of our platform. So when I use these tools I'm using them to get visibility into my own application, my own infrastructure. So Logz.io faster transition to Logz.io is super easy. This is the whole notion of having an open source compatible platform. So I want to move to Loz.io, everything that worked with my open source currently still works with Logz.io but now when you move to the cloud Logz.io on AWS, we have a very strong relationship so all the services are automatically monitored. You have pre-configured dashboard, everything is interconnected so just when I jump into the AWS platform I immediately get visibility of my existing apps and of the AWS infrastructure. And that eventually helped me become confident, grow and deliver faster on AWS. >> So again this is a conference full of builders but you used the term devOps. We're starting to see a bleeding of DevOps and builders or operations and builders come together. One of the big trans and DevOps and observability is AI and machine learning. What are some of the features of AI and Machine Learning you guys are bringing to bear to this market? >> Yeah, listen I'm a big believer in AI. You know, the amount of data that companies like Logz.io have to ingest and our customers have to process. It's just something a human being cannot possibly understand. It's like billions and millions of lines of data. So this is where we bring machines to help humans. I'll give you one example, right? If you're a DevOps engineer and you see an issue in your logs, what do you do? You usually copy that and putting it into Google and you'll end up on stack overflow, maybe on GitHub, maybe on another website. What we have done is we've scraped the web and we have learned from any user on our platform. So we actually know which log line is important and which one is not. So when companies send a log line, our AI automatically scans it and says, "Hey, here are the billion log lines. No one cares about but here is one that you should really look at right now because either you know half a million people that were searching for it. There are 7,000 alerts on this and it just happened to you. Keith look, maybe you should jump in and look at that". This is where AI makes us just better operate or better DevOp people and not kind of try to replace us. >> So I'm a technical founder, you're a technical founder, theCUBE loves supporting founders. One of the advantages of being the CEO of your company is that you get to decide the culture and the mission of your company. Talk to me about the people side of your organization and how you're making a change for the better. >> Yeah, absolutely. You know, it is a privilege and to the privilege to start and come with a mission that you want to change something in the world and we were just two developers, a staff, my co-founder and myself having to use a product we didn't want to use and you know still really wanted to use an open source product. So we said let's build the company around that and this is kind of set the mission for the company as the company evolved, so is our mission. It evolves from logging to monitoring, to tracing and we also added a cloud SIEM solution all based on open source. So we're going to DevOps engineers and any engineers and we tag any engineer we tell them, "Hey, you can use the best open source tools in the cloud is one platform without compromising". And that's something that really is very differentiated today and I'm very humbled and excited to be part of this journey and I think the team at Logz.io is as well. >> You know I'm always intrigued about this journey to the cloud. Security is one of these things that intrigues me especially as we look at something as mature in the way open source. We often associate open source with public cloud, cloud native but open source is as old as technology itself. So there is a lot of practices that we bring from legacy, traditional infrastructures into the public cloud. So talk to me about that transition of security and security models? How does observability help to either take our existing tools and migrate them to the public cloud or adopt all new cloud native tools in the public cloud? >> Yeah, for sure. I think security is probably together with observability. One of the top priority that when you think about CTOs and VP of Engineering and CSOs, they're concerned about. So we've taken the observability path and bringing better glasses to our users and then on the security side there's a whole market called the SIEM market where companies look at detecting threats, investigating them and most of these tools were that companies use our legacy, incumbents and for design on their own premises world. And are not really a fit for the dynamic world of kubernetes and the cloud. And this is when we decided a couple of years ago to launch a product in that space and today this product is extremely successful. We have customers protecting their AWS environments across the board. So basically with one product for observability, you can with a single checkbox enable security and then you can detect threats. You can look at kind of the common pitfalls of AWS environment and how you can avoid them. And eventually when you see a threat, you can use our tool to investigate and find the root cause in a tool which was designed on AWS for AWS. And it's really designed for the kind of the native cloud environment rather than the on-premise as well. >> Now, is there an integration between the AI ML law of management and the threat management solutions from our observability perspective? >> Yeah, for sure. This is the beauty, it's all one data platform. So customers ship their data, loads, metrics and traces into one place and then we start to look at how can we provide more value on the data, right? How can we look at the logs from an operational perspective and tell you, "Hey, your production might be going down because of a production risks or maybe we can provide you threat intelligence". We can enrich the data and tell you, "Hey, we think you're undergoing an attack right now". So this is all done by users and it is all enraged by AI that provides more visibility, more enrichment of the data and just advice on where to look. >> So Tomer levy, CEO, founder of Logz.io. You're now a few belong. Thank you for joining the show. I hope you have a very successful AWS reinvent. Speaking of AWS reinvent, theCUBE's nonstop coverage of AWS reinvent continues. Watch some of the world's greatest builders, innovators get challenged on their vision and for us to understand and appreciate the work that's been done in this dynamic community. Continue to watch this coverage and more. Talk to you next interview on the CUBE's coverage, of AWS reinvent 2020. (soft music)

>> Sue: Hi everybody, thank you for joining us today for the virtual Vertica BDC 2020. Today's breakout session is entitled "Autonomous Monitoring Using Machine Learning". My name is Sue LeClaire, director of marketing at Vertica, and I'll be your host for this session. Joining me is Larry Lancaster, founder and CTO at Zebrium. Before we begin, I encourage you to submit questions or comments during the virtual session. You don't have to wait, just type your question or comment in the question box below the slide and click submit. There will be a Q&A session at the end of the presentation and we'll answer as many questions as we're able to during that time. Any questions that we don't address, we'll do our best to answer them offline. Alternatively, you can also go and visit Vertica forums to post your questions after the session. Our engineering team is planning to join the forums to keep the conversation going. Also, just a reminder that you can maximize your screen by clicking the double arrow button in the lower right corner of the slides. And yes, this virtual session is being recorded and will be available for you to view on demand later this week. We'll send you a notification as soon as it's ready. So, let's get started. Larry, over to you. >> Larry: Hey, thanks so much. So hi, my name's Larry Lancaster and I'm here to talk to you today about something that I think who's time has come and that's autonomous monitoring. So, with that, let's get into it. So, machine data is my life. I know that's a sad life, but it's true. So I've spent most of my career kind of taking telemetry data from products, either in the field, we used to call it in the field or nowadays, that's been deployed, and bringing that data back, like log file stats, and then building stuff on top of it. So, tools to run the business or services to sell back to users and customers. And so, after doing that a few times, it kind of got to the point where I was really sort of sick of building the same kind of thing from scratch every time, so I figured, why not go start a company and do it so that we don't have to do it manually ever again. So, it's interesting to note, I've put a little sentence here saying, "companies where I got to use Vertica" So I've been actually kind of working with Vertica for a long time now, pretty much since they came out of alpha. And I've really been enjoying their technology ever since. So, our vision is basically that I want a system that will characterize incidents before I notice. So an incident is, you know, we used to call it a support case or a ticket in IT, or a support case in support. Nowadays, you may have a DevOps team, or a set of SREs who are monitoring a production sort of deployment. And so they'll call it an incident. So I'm looking for something that will notice and characterize an incident before I notice and have to go digging into log files and stats to figure out what happened. And so that's a pretty heady goal. And so I'm going to talk a little bit today about how we do that. So, if we look at logs in particular. Logs today, if you look at log monitoring. So monitoring is kind of that whole umbrella term that we use to talk about how we monitor systems in the field that we've shipped, or how we monitor production deployments in a more modern stack. And so basically there are log monitoring tools. But they have a number of drawbacks. For one thing, they're kind of slow in the sense that if something breaks and I need to go to a log file, actually chances are really good that if you have a new issue, if it's an unknown unknown problem, you're going to end up in a log file. So the problem then becomes basically you're searching around looking for what's the root cause of the incident, right? And so that's kind of time-consuming. So, they're also fragile and this is largely because log data is completely unstructured, right? So there's no formal grammar for a log file. So you have this situation where, if I write a parser today, and that parser is going to do something, it's going to execute some automation, it's going to open or update a ticket, it's going to maybe restart a service, or whatever it is that I want to happen. What'll happen is later upstream, someone who's writing the code that produces that log message, they might do something really useful for me, or for users. And they might go fix a spelling mistake in that log message. And then the next thing you know, all the automation breaks. So it's a very fragile source for automation. And finally, because of that, people will set alerts on, "Oh, well tell me how many thousands of errors are happening every hour." Or some horrible metric like that. And then that becomes the only visibility you have in the data. So because of all this, it's a very human-driven, slow, fragile process. So basically, we've set out to kind of up-level that a bit. So I touched on this already, right? The truth is if you do have an incident, you're going to end up in log files to do root cause. It's almost always the case. And so you have to wonder, if that's the case, why do most people use metrics only for monitoring? And the reason is related to the problems I just described. They're already structured, right? So for logs, you've got this mess of stuff, so you only want to dig in there when you absolutely have to. But ironically, it's where a lot of the information that you need actually is. So we have a model today, and this model used to work pretty well. And that model is called "index and search". And it basically means you treat log files like they're text documents. And so you index them and when there's some issue you have to drill into, then you go searching, right? So let's look at that model. So 20 years ago, we had sort of a shrink-wrap software delivery model. You had an incident. With that incident, maybe you had one customer and you had a monolithic application and a handful of log files. So it's perfectly natural, in fact, usually you could just v-item the log file, and search that way. Or if there's a lot of them, you could index them and search them that way. And that all worked very well because the developer or the support engineer had to be an expert in those few things, in those few log files, and understand what they meant. But today, everything has changed completely. So we live in a software as a service world. What that means is, for a given incident, first of all you're going to be affecting thousands of users. You're going to have, potentially, 100 services that are deployed in your environment. You're going to have 1,000 log streams to sift through. And yet, you're still kind of stuck in the situation where to go find out what's the matter, you're going to have to search through the log files. So this is kind of the unacceptable sort of position we're in today. So for us, the future will not be index and search. And that's simply because it cannot scale. And the reason I say that it can't scale is because it all kind of is bottlenecked by a person and their eyeball. So, you continue to drive up the amount of data that has to be sifted through, the complexity of the stack that has to be understood, and you still, at the end of the day, for MTTR purposes, you still have the same bottleneck, which is the eyeball. So this model, I believe, is fundamentally broken. And that's why, I believe in five years you're going to be in a situation where most monitoring of unknown unknown problems is going to be done autonomously. And those issues will be characterized autonomously because there's no other way it can happen. So now I'm going to talk a little bit about autonomous monitoring itself. So, autonomous monitoring basically means, if you can imagine in a monitoring platform and you watch the monitoring platform, maybe you watch the alerts coming from it or more importantly, you kind of watch the dashboards and try to see if something looks weird. So autonomous monitoring is the notion that the platform should do the watching for you and only let you know when something is going wrong and should kind of give you a window into what happened. So if you look at this example I have on screen, just to take it really slow and absorb the concept of autonomous monitoring. So here in this example, we've stopped the database. And as a result, down below you can see there were a bunch of fallout. This is an Atlassian Stack, so you can imagine you've got a Postgres database. And then you've got sort of Bitbucket, and Confluence, and Jira, and these various other components that need the database operating in order to function. So what this is doing is it's calling out, "Hey, the root cause is the database stopped and here's the symptoms." Now, you might be wondering, so what. I mean I could go write a script to do this sort of thing. Here's what's interesting about this very particular example, and I'll show a couple more examples that are a little more involved. But here's the interesting thing. So, in the software that came up with this incident and opened this incident and put this root cause and symptoms in there, there's no code that knows anything about timestamp formats, severities, Atlassian, Postgres, databases, Bitbucket, Confluence, there's no regexes that talk about starting, stopped, RDBMS, swallowed exception, and so on and so forth. So you might wonder how it's possible then, that something which is completely ignorant of the stack, could come up with this description, which is exactly what a human would have had to do, to figure out what happened. And I'm going to get into how we do that. But that's what autonomous monitoring is about. It's about getting into a set of telemetry from a stack with no prior information, and understanding when something breaks. And I could give you the punchline right now, which is there are fundamental ways that software behaves when it's breaking. And by looking at hundreds of data sets that people have generously allowed us to use containing incidents, we've been able to characterize that and now generalize it to apply it to any new data set and stack. So here's an interesting one right here. So there's a fella, David Gill, he's just a genius in the monitoring space. He's been working with us for the last couple of months. So he said, "You know what I'm going to do, is I'm going to run some chaos experiments." So for those of you who don't know what chaos engineering is, here's the idea. So basically, let's say I'm running a Kubernetes cluster and what I'll do is I'll use sort of a chaos injection test, something like litmus. And basically it will inject issues, it'll break things in my application randomly to see if my monitoring picks it up. And so this is what chaos engineering is built around. It's built around sort of generating lots of random problems and seeing how the stack responds. So in this particular case, David went in and he deleted, basically one of the tests that was presented through litmus did a delete of a pod delete. And so that's going to basically take out some containers that are part of the service layer. And so then you'll see all kinds of things break. And so what you're seeing here, which is interesting, this is why I like to use this example. Because it's actually kind of eye-opening. So the chaos tool itself generates logs. And of course, through Kubernetes, all the log files locations that are on the host, and the container logs are known. And those are all pulled back to us automatically. So one of the log files we have is actually the chaos tool that's doing the breaking, right? And so what the tool said here, when it went to determine what the root cause was, was it noticed that there was this process that had these messages happen, initializing deletion lists, selection a pod to kill, blah blah blah. It's saying that the root cause is the chaos test. And it's absolutely right, that is the root cause. But usually chaos tests don't get picked up themselves. You're supposed to be just kind of picking up the symptoms. But this is what happens when you're able to kind of tease out root cause from symptoms autonomously, is you end up getting a much more meaningful answer, right? So here's another example. So essentially, we collect the log files, but we also have a Prometheus scraper. So if you export Prometheus metrics, we'll scrape those and we'll collect those as well. And so we'll use those for our autonomous monitoring as well. So what you're seeing here is an issue where, I believe this is where we ran something out of disk space. So it opened an incident, but what's also interesting here is, you see that it pulled that metric to say that the spike in this metric was a symptom of this running out of space. So again, there's nothing that knows anything about file system usage, memory, CPU, any of that stuff. There's no actual hard-coded logic anywhere to explain any of this. And so the concept of autonomous monitoring is looking at a stack the way a human being would. If you can imagine how you would walk in and monitor something, how you would think about it. You'd go looking around for rare things. Things that are not normal. And you would look for indicators of breakage, and you would see, do those seem to be correlated in some dimension? That is how the system works. So as I mentioned a moment ago, metrics really do kind of complete the picture for us. We end up in a situation where we have a one-stop shop for incident root cause. So, how does that work? Well, we ingest and we structure the log files. So if we're getting the logs, we'll ingest them and we'll structure them, and I'm going to show a little bit what that structure looks like and how that goes into the database in a moment. And then of course we ingest and structure the Prometheus metrics. But here, structure really should have an asterisk next to it, because metrics are mostly structured already. They have names. If you have your own scraper, as opposed to going into the time series Prometheus database and pulling metrics from there, you can keep a lot more information about metadata about those metrics from the exporter's perspective. So we keep all of that too. Then we do our anomaly detection on both of those sets of data. And then we cross-correlate metrics and log anomalies. And then we create incidents. So this is at a high level, kind of what's happening without any sort of stack-specific logic built in. So we had some exciting recent validation. So Mayadata's a pretty big player in the Kubernetes space. Essentially, they do Kubernetes as a managed service. They have tens of thousands of customers that they manage their Kubernetes clusters for them. And then they're also involved, both in the OpenEBS project, as well as in the Litmius project I mentioned a moment ago. That's their tool for chaos engineering. So they're a pretty big player in the Kubernetes space. So essentially, they said, "Oh okay, let's see if this is real." So what they did was they set up our collectors, which took three minutes in Kubernetes. And then they went and they, using Litmus, they reproduced eight incidents that their actual, real-world customers had hit. And they were trying to remember the ones that were the hardest to figure out the root cause at the time. And we picked up and put a root cause indicator that was correct in 100% of these incidents with no training configuration or metadata required. So this is kind of what autonomous monitoring is all about. So now I'm going to talk a little bit about how it works. So, like I said, there's no information included or required about, so if you imagine a log file for example. Now, commonly, over to the left-hand side of every line, there will be some sort of a prefix. And what I mean by that is you'll see like a timestamp, or a severity, and maybe there's a PID, and maybe there's function name, and maybe there's some other stuff there. So basically that's kind of, it's common data elements for a large portion of the lines in a given log file. But you know, of course, the contents change. So basically today, like if you look at a typical log manager, they'll talk about connectors. And what connectors means is, for an application it'll generate a certain prefix format in a log. And that means what's the format of the timestamp, and what else is in the prefix. And this lets the tool pick it up. And so if you have an app that doesn't have a connector, you're out of luck. Well, what we do is we learn those prefixes dynamically with machine learning. You do not have to have a connector, right? And what that means is that if you come in with your own application, the system will just work for it from day one. You don't have to have connectors, you don't have to describe the prefix format. That's so yesterday, right? So really what we want to be doing is up-leveling what the system is doing to the point where it's kind of working like a human would. You look at a log line, you know what's a timestamp. You know what's a PID. You know what's a function name. You know where the prefix ends and where the variable parts begin. You know what's a parameter over there in the variable parts. And sometimes you may need to see a couple examples to know what was a variable, but you'll figure it out as quickly as possible, and that's exactly how the system goes about it. As a result, we kind of embrace free-text logs, right? So if you look at a typical stack, most of the logs generated in a typical stack are usually free-text. Even structured logging typically will have a message attribute, which then inside of it has the free-text message. For us, that's not a bad thing. That's okay. The purpose of a log is to inform people. And so there's no need to go rewrite the whole logging stack just because you want a machine to handle it. They'll figure it out for themselves, right? So, you give us the logs and we'll figure out the grammar, not only for the prefix but also for the variable message part. So I already went into this, but there's more that's usually required for configuring a log manager with alerts. You have to give it keywords. You have to give it application behaviors. You have to tell it some prior knowledge. And of course the problem with all of that is that the most important events that you'll ever see in a log file are the rarest. Those are the ones that are one out of a billion. And so you may not know what's going to be the right keyword in advance to pick up the next breakage, right? So we don't want that information from you. We'll figure that out for ourselves. As the data comes in, essentially we parse it and we categorize it, as I've mentioned. And when I say categorize, what I mean is, if you look at a certain given log file, you'll notice that some of the lines are kind of the same thing. So this one will say "X happened five times" and then maybe a few lines below it'll say "X happened six times" but that's basically the same event type. It's just a different instance of that event type. And it has a different value for one of the parameters, right? So when I say categorization, what I mean is figuring out those unique types and I'll show an example of that next. Anomaly detection, we do on top of that. So anomaly detection on metrics in a very sort of time series by time series manner with lots of tunables is a well-understood problem. So we also do this on the event types occurrences. So you can think of each event type occurring in time as sort of a point process. And then you can develop statistics and distributions on that, and you can do anomaly detection on those. Once we have all of that, we have extracted features, essentially, from metrics and from logs. We do pattern recognition on the correlations across different channels of information, so different event types, different log types, different hoses, different containers, and then of course across to the metrics. Based on all of this cross-correlation, we end up with a root cause identification. So that's essentially, at a high level, how it works. What's interesting, from the perspective of this call particularly, is that incident detection needs relationally structured data. It really does. You need to have all the instances of a certain event type that you've ever seen easily accessible. You need to have the values for a given sort of parameter easily, quickly available so you can figure out what's the distribution of this over time, how often does this event type happen. You can run analytical queries against that information so that you can quickly, in real-time, do anomaly detection against new data. So here's an example of that this looks like. And this kind of part of the work that we've done. At the top you see some examples of log lines, right? So that's kind of a snippet, it's three lines out of a log file. And you see one in the middle there that's kind of highlighted with colors, right? I mean, it's a little messy, but it's not atypical of the log file that you'll see pretty much anywhere. So there, you've got a timestamp, and a severity, and a function name. And then you've got some other information. And then finally, you have the variable part. And that's going to have sort of this checkpoint for memory scrubbers, probably something that's written in English, just so that the person who's reading the log file can understand. And then there's some parameters that are put in, right? So now, if you look at how we structure that, the way it looks is there's going to be three tables that correspond to the three event types that we see above. And so we're going to look at the one that corresponds to the one in the middle. So if we look at that table, there you'll see a table with columns, one for severity, for function name, for time zone, and so on. And date, and PID. And then you see over to the right with the colored columns there's the parameters that were pulled out from the variable part of that message. And so they're put in, they're typed and they're in integer columns. So this is the way structuring needs to work with logs to be able to do efficient and effective anomaly detection. And as far as I know, we're the first people to do this inline. All right, so let's talk now about Vertica and why we take those tables and put them in Vertica. So Vertica really is an MPP column store, but it's more than that, because nowadays when you say "column store", people sort of think, like, for example Cassandra's a column store, whatever, but it's not. Cassandra's not a column store in the sense that Vertica is. So Vertica was kind of built from the ground up to be... So it's the original column store. So back in the cStor project at Berkeley that Stonebraker was involved in, he said let's explore what kind of efficiencies we can get out of a real columnar database. And what he found was that, he and his grad students that started Vertica. What they found was that what they can do is they could build a database that gives orders of magnitude better query performance for the kinds of analytics I'm talking about here today. With orders of magnitude less data storage underneath. So building on top of machine data, as I mentioned, is hard, because it doesn't have any defined schemas. But we can use an RDBMS like Vertica once we've structured the data to do the analytics that we need to do. So I talked a little bit about this, but if you think about machine data in general, it's perfectly suited for a columnar store. Because, if you imagine laying out sort of all the attributes of an event type, right? So you can imagine that each occurrence is going to have- So there may be, say, three or four function names that are going to occur for all the instances of a given event type. And so if you were to sort all of those event instances by function name, what you would find is that you have sort of long, million long runs of the same function name over and over. So what you have, in general, in machine data, is lots and lots of slowly varying attributes, lots of low-cardinality data that it's almost completely compressed out when you use a real column store. So you end up with a massive footprint reduction on disk. And it also, that propagates through the analytical pipeline. Because Vertica does late materialization, which means it tries to carry that data through memory with that same efficiency, right? So the scale-out architecture, of course, is really suitable for petascale workloads. Also, I should point out, I was going to mention it in another slide or two, but we use the Vertica Eon architecture, and we have had no problems scaling that in the cloud. It's a beautiful sort of rewrite of the entire data layer of Vertica. The performance and flexibility of Eon is just unbelievable. And so I've really been enjoying using it. I was skeptical, you could get a real column store to run in the cloud effectively, but I was completely wrong. So finally, I should mention that if you look at column stores, to me, Vertica is the one that has the full SQL support, it has the ODBC drivers, it has the ACID compliance. Which means I don't need to worry about these things as an application developer. So I'm laying out the reasons that I like to use Vertica. So I touched on this already, but essentially what's amazing is that Vertica Eon is basically using S3 as an object store. And of course, there are other offerings, like the one that Vertica does with pure storage that doesn't use S3. But what I find amazing is how well the system performs using S3 as an object store, and how they manage to keep an actual consistent database. And they do. We've had issues where we've gone and shut down hosts, or hosts have been shut down on us, and we have to restart the database and we don't have any consistency issues. It's unbelievable, the work that they've done. Essentially, another thing that's great about the way it works is you can use the S3 as a shared object store. You can have query nodes kind of querying from that set of files largely independently of the nodes that are writing to them. So you avoid this sort of bottleneck issue where you've got contention over who's writing what, and who's reading what, and so on. So I've found the performance using separate subclusters for our UI and for the ingest has been amazing. Another couple of things that they have is they have a lot of in-database machine learning libraries. There's actually some cool stuff on their GitHub that we've used. One thing that we make a lot of use of is the sequence and time series analytics. For example, in our product, even though we do all of this stuff autonomously, you can also go create alerts for yourself. And one of the kinds of alerts you can do, you can say, "Okay, if this kind of event happens within so much time, and then this kind of an event happens, but not this one," Then you can be alerted. So you can have these kind of sequences that you define of events that would indicate a problem. And we use their sequence analytics for that. So it kind of gives you really good performance on some of these queries where you're wanting to pull out sequences of events from a fact table. And timeseries analytics is really useful if you want to do analytics on the metrics and you want to do gap filling interpolation on that. It's actually really fast in performance. And it's easy to use through SQL. So those are a couple of Vertica extensions that we use. So finally, I would like to encourage everybody, hey, come try us out. Should be up and running in a few minutes if you're using Kubernetes. If not, it's however long it takes you to run an installer. So you can just come to our website, pick it up and try out autonomous monitoring. And I want to thank everybody for your time. And we can open it up for Q and A.

>>Live from Las Vegas. That's the Q covering splunk.com 19 brought to you by Splunk. >>You know, kind of leaning on that heavily. Automation, certainly very important. But what does enterprise and what does enterprise security 6.0 bring to the table. So can you take us through the evolution of where you guys are at with, with Splunk, if you want to handle that enterprise security? So yeah, generally enterprise security has traditionally had really, really good use cases for like the external threats that we're talking about. But like you said, it's very difficult to crack the insider threat part. And so we leveraging machine learning toolkit has started to build that into Splunk to make sure that you know, you can protect your data. And, uh, you know, Tyler and I specifically did this because we saw that there was immaturity in the cybersecurity market for insider threat. And so one of the things that we're actually doing in this top, in addition to talking about what we've done, we're actually giving examples of actionable use cases that people can take home and do themselves. >>Like we're giving them an exact sample code of how to find some outliers. They give me an example of what, so the use case that we go over in the talk is a user logs in at a weird time of day outside of their baseline and they exfiltrate a large amount of data in a low and slow fashion. Um, but they're doing this obviously outside of the scope of their normal behavior. So we give some good searches that you can take home and look at how could I make a baseline, how could I establish that there's deviations from that baseline from a statistical standpoint, and identify this in the future and find the needle in the haystack using the machine learning toolkit. And then if I have a sock that I want to send notables to or some sort of some notification to how do we make that happen, how do we make the transition from machine learning toolkit over to enterprise security or however your SOC operates? >>How do you do that? Do you guys write your own code for that? Or you guys use Splunk? So Splunk has a lot of internal tools and there's a couple of things that need to be pointed out of how to make this happen because we're aggregating large amounts of data. We go through a lot of those finer points in the talk, but sending those through to make sure that they're high confidence is the, is the channel you guys are codifying the cross connect from the machine, learning to the other systems. All right, so I've got to ask, this is basically pattern recognition. You want to look at baselining, how do people, can people hide in that baseline data? So like I'll give you, if I'm saying I'm an evil genius, I say, Hey, I knew these guys looking for Romans anomalies in my baseline, so I'm going to go low and slow in my baseline. >>Can you look for that too? Yeah, there are. There absolutely are ways of, fortunately, uh, there's a lot of different people who are doing research in that space on the defensive side. And so there's a ton of use cases to look at and if you aggregate over a long enough period of time, it becomes incredibly hard to hide. And so the baselines that we recommend building generally look at your 90 day or 120 day out. Um, I guess viewpoint. So you really want to be able to measure that. And most insider threat that happen occur within that 30 to 90 day window. And so the research seems to indicate that those timelines will actually work. Now if you were in there and you read all the code and you did all of the work to see how all of the things come through and you really understood the machine learning minded, I'm sure there's absolutely a way to get in if you're that sophisticated. >>But most of the times they just trying to steal stuff and get out or compromise a system. Um, so is there other patterns that you guys have seen in terms of the that are kind of low hanging fruit priorities that people aren't paying attention to and what's the levels of importance to I guess get ahold of or have some sort of mechanism for managing insider threats? I passwords I've seen one but I mean like there's been a lot of recent papers that have come out in lateral movement and privilege escalation. I think it's an area where a lot of people haven't spent enough time doing research. We've looked into models around PowerShell, um, so that we can identify when a user's maliciously executing PowerShell scripts. I think there's stuff that's getting attention now that when it really needs to, but it is a little bit too late. >>Uh, the community is a bit behind the curve on it and see sharks becoming more of a pattern to seeing a lot more C sharp power shells kind of in hunted down kind of crippled or like identified. You can't operate that way, what we're seeing but, but is that an insider and do that. And do insiders come in with the knowledge of doing C sharp? Those are gonna come from the outside. So I mean, what's the sophistic I guess my question is what's the sophistication levels of an insider threat? Depends on the level a, so the cert inside of dread Institute has aggregated about 15,000 different events. And it could be something as simple as a user who goes in with the intent to do something bad. It could be a person who converted from the inside at any level of the enterprise for some reason. >>Or it could be someone who gets, you know, really upset after a bad review. That might be the one person who has access and he's being socially engineered as well as all kinds of different vectors coming in there. And so, you know, in addition to somebody malicious like that, that you know, there's the accidental, you're phishing campaigns here, somebody's important clicks on an email that they think is from somebody else important or something like that. And you know, we're looking fair for that as well. And that's definitely spear fishing's been very successful. That's a hard one to crack. It is. They have that malware and they're looking at, you can say HR data's out of this guy, just got a bad review, good tennis cinema, a resume or a job opening for, and that's got the hidden code built in. We've seen that move many times. >>Yeah, and natural language processing and more importantly, natural language understanding can be used to get a lot of those cases out. If you're ingesting the text of the email data, well you guys are at a very professional high end from Sai C I mean the history of storied history goes way back and a lot of government contracts do. They do a lot of heavy lifting from anywhere from development to running full big time OSS networks. So there's a lot of history there. What does sustain of the yard? What do you guys look at as state of the art right now in security? Given the fact that you have some visibility into some of the bigger contracts relative to endpoint protection or general cyber, what's the current state of the art? What's, what should people be thinking about or what are you guys excited about? What are some of the areas that is state of the art relative to cyber, cyber security around data usage. >>So, I mean, one of the things, and I saw that there were some talks about it, but not natural language processing and sentiment analysis has gotten, has come a long way. It is much easier to understand, you know, or to have machines understand what, what people are trying to say or what they're doing. And especially, for example, if somebody's like web searching history, you know, and you might think of somebody might do a search for how do I hide downloading a file or something like that. And, and that's something that, well, we know immediately as people, but you know, we have, our customer for example, has 1000000001.2 billion events a day. So you know, if the billion, a billion seconds, that's 30 years. Yeah. So like that's, it's, it's a big number. You know, we, we, we hear those numbers thrown around a lot, but it's a big number to put it in perspective. >>So we're getting that a day and so how do we pick out, it's hard to step of that problem. The eight staff, you can't put stamp on that. Most cutting edge papers that have come out recently have been trying to understand the logs. They're having them machine learning to understand the actual logs that are coming in to identify those anomalies. But that's a massive computation problem. It's a huge undertaking to kind of set that up. Uh, so I really have seen a lot of stuff actually at concierge, some of the innovations that they're doing to optimize that because finding the needle in the haystack is obviously difficult. That's the whole challenge. But there's a lot of work that's being done in Splunk to make that happen a lot faster. And there's some work that's being done at the edge. It's not a lot, but the cutting edge is actually logging and looking at every single log that comes in and understanding it and having a robot say, boom, check that one out. >>Yeah. And also the sentiment, it gets better with the data because we all crushed those billions of events. And you can get a, you know, smiley face or that'd be face depending upon what's happening. It could be, Oh this is bad. But this, this comes back down to the data points you mentioned logs is now beyond logs. I've got tracing other, other signals coming in across the networks. So that's not, that's a massive problem. You need automation, you've got to feed the beast by the machines and you got to do it within whatever computation capabilities you have. And I always say it's a moving train hard. The Target's moving all the time. You guys are standing on top of it. Um, what do you guys think of the event? What's the, what's the most important thing happening here@splunk.com this year? I'd love to have both of you guys take away in on that. >>There's a ton of innovation in the machine learning space. All of the pipelines really that I've, I've been working on in the last year are being augmented and improved by the staff. That's developing content in the machine learning and deep learning space that's belongs. So to me that's by far the most important thing. Your, your take on this, um, between the automation. I know in the last year or so, Splunk has just bought a lot of different companies that do a lot of things that now we can, instead of having to build it ourselves or having to go to three or four different people on top to build a complete solution for the federal government or for whoever your customer is, you can, you know, Splunk is becoming more of a one stop shop. And I think just upgrading all of these things to have all the capabilities working together so that, for example, Phantom, Phantom, you know, giving you that orchestration and automation after. >>For example, if we have an EMS notable events saying, Hey, possible insider threat, maybe they automate the first thing of checking, you know, pull immediately pulling those logs and emailing them or putting them in front of the SOC analyst immediately. So that in, in addition to, Hey, you need to check this person out, it's, you need to check this person out here is the first five pages of what you need to look at. Oh, talking about the impact of that because without that soar feature. Okay. The automation orchestration piece of it, security, orchestration and automation piece of it without where are you know, speed. What's the impact? What's the alternative? Yes. So when we're, right now, when we're giving information to our EES or analysts through yes, they look at it and then they have to click five, six, seven times to get up the tabs that they need to make it done. >>And if we can have those tabs pre populated or just have them, you know, either one click or just come up on their screen for once they open it up. I mean their time is important. Especially when we're talking about an insider threat whom might turn to, yeah, the alternative is five X increase in timespan by the SOC analyst and no one wants that. They want to be called vented with the data ready to go. Ready, alert on it. All right, so final few guys are awesome insights. Walking data upsets right here. Love the inside. Love the love the insights. So final question for the folks watching that are Splunk customers who are not as on the cutting edge, as you guys pioneering this field, what advice would you give them? Like if you had to, you know, shake your friend egg, you know, get off your button, do this, do that. What is the, what do people need to pay attention to that's super urgent that you would implore on them? What would you, what would your advice be once you start that one? >>One of the things that I would actually say is, you know, we can code really cool things. We can do really cool things, but one of the most important things that he and I do as part of our processes before we go to the machine and code, the really cool things. We sometimes just step back and talk for a half an hour talk for an hour of, Hey, what are you thinking about? Hey, what is a thing that you know or what are we reading? What and what are we? And you know, formulating a plan because instead of just jumping into it, if you formulate a plan, then you can come up with you know, better things and augmented and implemented versus a smash and grab on the other side of just, all right, here's the thing, let's let's dump it in there. So you're saying is just for you jump in the data pool and start swimming around, take a step back, collaborate with your peers or get some kind of a game thinking plan. >>We spent a lot of hours, white boarding, but I would to to add to that, it's augment that we spent a lot of time reading the scientific research that's being done by a lot of the teams that are out solving these types of problems. And sometimes they come back and say, Hey, we tried this solution and it didn't work. But you can learn from those failures just like you can learn from the successes. So I recommend getting out and reading. There's a ton of literature in that space around cyber. So always be moving. Always be learning. Always be collaborating. Yeah, it's moving training guys, thanks for the insights Epic session here. Thanks for coming on and sharing your knowledge on the cube, the cube. We're already one big data source here for you. All the knowledge here at.com our seventh year, their 10th year is the cubes coverage. I'm John furry with back after this short break.

>> from Austin, Texas. It's Theo Cube, covering pure storage. Accelerate 2019. Brought to you by pure storage. >> Welcome back to the Cube. Lisa Martin Day Volante is my co host were a pure accelerate 2019 in Austin, Texas. A couple of guests joining us. Next. Please welcome Barack elected director product management for slunk. Welcome back to the Cube. Thank you. And guess who's back. Von Stewart. V. P. A. Technology from pure Avon. Welcome back. >> Hey, thanks for having us guys really excited about this topic. >> We are too. All right, so But we'll start with you. Since you're so excited in your nice orange pocket square is peeking out of your jacket there. Talk about the Splunk, your relationship. Long relationship, new offerings, joint value. What's going on? >> Great set up. So Splunk impure have had a long relationship around accelerating customers analytics The speed at which they can get their questions answered the rate at which they could ingest data right to build just more sources. Look at more data, get faster time to take action. However, I shouldn't be leading this conversation because Split Split has released a new architecture, a significant evolution if you will from the traditional Splunk architectural was built off of Daz and a shared nothing architecture. Leveraging replicas, right? Very similar what you'd have with, like, say, in H D. F s Work it load or H c. I. For those who aren't in the analytic space, they've released the new architecture that's disaggregated based off of cashing and an object store construct called Smart Store, which Broth is the product manager for? >> All right, tell us about that. >> So we release a smart for the future as part of spunk Enterprise. $7 to about a near back back in September Timeframe. Really Genesis or Strong Smart Strong goes back to the key customer problem that we were looking to solve. So one of our customers, they're already ingesting a large volume of data, but the need to retain the data for twice, then one of Peter and in today's architecture, what it required was them to kind of lean nearly scale on the amount of hardware. What we realized it. Sooner or later, all customers are going to run into this issue. But if they want in just more data or reading the data for longer periods, of time, they're going to run into this cost ceiling sooner or later on. The challenge is that into this architecture, today's distributes killer dark picture that we have today, which of all, about 10 years back, with the evolution of the Duke in this particular architecture, the computer and story Jacqui located. And because computer storage acqua located, it allows us to process large volumes of data. But if you look at the demand today, we can see that the demand for storage or placing the demand for computer So these are, too to directly opposite trans that we're seeing in the market space. If you need to basically provide performance at scale, there needs to be a better model. They need a better solution than what we had right now. So that's the reason we basically brought Smart store on denounced availability last September. What's Marceau brings to the table is that a D couples computer and storage, So now you can scale storage independent of computers, so if you need more storage or if you need to read in for longer periods of time, you can just kill independent on the storage and with level age, remote object stores like Bill Flash bid to provide that data depository. But most of your active data said still decides locally on the indexers. So what we did was basically broke the paradigm off computer storage location, and we had a small twist. He said that now the computer stories can be the couple, but you bring comfort and stories closer together only on demand. So that means that when you were running a radio, you know, we're running a search, and whenever the data is being looked for that only when we bring the data together. The other key thing that we do is we have an active data set way ensure that the smart store has ah, very powerful cash manager that allows that ensures that the active data set is always very similar to the time when your laptop, the night when your laptop has active data sets always in the cash always on memory. So very similar to that smarts for cash allows you to have active data set always locally on the index. Start your search performance is not impact. >> Yes, this problem of scaling compute and storage independently. You mentioned H. D. F s you saw it early on there. The hyper converged guys have been trying to solve this problem. Um, some of the database guys like snowflakes have solved it in the cloud. But if I understand correctly, you're doing this on Prem. >> So we're doing this board an on Prem as well as in Cloud. So this smart so feature is already available on tramp were also already using a host all off our spun cloud deployments as well. It's available for customers who want obviously deploy spunk on AWS as well. >> Okay, where do you guys fit in? So we >> fit in with customers anywhere from on the hate say this way. But on the small side, at the hundreds of terabytes up into the tens and hundreds of petabytes side. And that's really just kind of shows the pervasiveness of Splunk both through mid market, all the way up through the through the enterprise, every industry and every vertical. So where we come in relative to smart store is we were a coat co developer, a launch partner. And because our object offering Flash Blade is a high performance object store, we are a little bit different than the rest of the Splunk s story partner ecosystem who have invested in slow more of an archive mode of s tree right, we have always been designed and kind of betting on the future would be based on high performance, large scale object. And so we believe smart store is is a ah, perfect example, if you will, of a modern analytics platform. When you look at the architecture with smart store as brush here with you, you want to suffice a majority of your queries out of cash because the performance difference between reading out a cash that let's say, that's NAND based or envy. Emmy based or obtain, if you will. When you fall, you have to go read a data data out of the Objects store, right. You could have a significant performance. Trade off wean mix significantly minimized that performance drop because you're going to a very high bandwith flash blade. We've done comparison test with other other smart store search results have been published in other vendors, white papers and we show Flash blade. When we run the same benchmark is 80 times faster and so what you can now have without architecture is confidence that should you find yourself in a compliance or regulatory issue, something like Maybe GDP are where you've got 72 hours to notify everyone who's been impacted by a breach. Maybe you've got a cybersecurity case where the average time to find that you've been penetrated occurs 206 days after the event. And now you gotta go dig through your old data illegal discovery, you know, questions around, you know, customer purchases, purchases or credit card payments. Any time where you've got to go back in the history, we're gonna deliver those results and order of magnitude faster than any other object store in the market today. That translates from ours. Today's days, two weeks, and we think that falls into our advantage. Almost two >> orders of magnitude. >> Can this be Flash Player >> at 80%? Sorry, Katie. Time 80 x. Yes, that's what I heard. >> Do you display? Consider what flashlight is doing here. An accelerant of spunk, workloads and customer environment. >> Definitely, because the forward with the smart, strong cash way allow high performance at scale for data that's recites locally in the cash. But now, by using a high performance object store like your flash played. Customers can expect the same high performing board when data is in the cash as well as invented sin. Remorseful >> sparks it. Interesting animal. Um, yeah, you have a point before we >> subjects. Well, I don't want to cut you off. It's OK. So I would say commenting on the performance is just part of the equation when you look at that, UM, common operational activities that a splitting, not a storage team. But a Splunk team has to incur right patch management, whether it's at the Splunk software, maybe the operating system, like linen store windows, that spunk is running on, or any of the other components on side on that platform. Patch Management data Re balancing cause it's unequal. Equally distributed, um, hardware refreshes expansion of the cluster. Maybe you need more computer storage. Those operations in terms of time, whether on smart store versus the classic model, are anywhere from 100 to 1000 times faster with smart store so you could have a deployment that, for example, it takes you two weeks to upgrade all the notes, and it gets done in four hours when it's on Smart store. That is material in terms of your operational costs. >> So I was gonna say, Splunk, we've been watching Splunk for a long time. There's our 10th year of doing the Cube, not our 10th anniversary of our 10th year. I think it will be our ninth year of doing dot com. And so we've seen Splunk emerged very cool company like like pure hip hip vibe to it. And back in the day, we talked about big data. Splunk never used that term, really not widely in its marketing. But then when we started to talk about who's gonna own the big data, that space was a cloud era was gonna be mad. We came back. We said, It's gonna be spunk and that's what's happened. Spunk has become a workload, a variety of workloads that has now permeated the organization, started with log files and security kind of kind of cumbersome. But now it's like everywhere. So I wonder if you could talk to the sort of explosion of Splunk in the workloads and what kind of opportunity this provides for you guys. >> So a very good question here, Right? So what we have seen is that spunk has become the de facto platform for all of one structure data as customers start to realize the value of putting their trying to Splunk on the watch. Your spunk is that this is like a huge differentiate of us. Monk is the read only skim on reed which allows you to basically put all of the data without any structure and ask questions on the flight that allows you to kind of do investigations in real time, be more reactive. What's being proactive? We be more proactive. Was being reactive scaleable platform the skills of large data volumes, highly available platform. All of that are the reason why you're seeing an increase that option. We see the same thing with all other customers as well. They start off with one data source with one use case and then very soon they realize the power of Splunk and they start to add additional use cases in just more and more data sources. >> But this no >> scheme on writer you call scheme on Reed has been so problematic for so many big data practitioners because it just became the state of swamp. >> That didn't >> happen with Splunk. Was that because you had very defined use cases obviously security being one or was it with their architectural considerations as well? >> They just architecture, consideration for security and 90 with the initial use cases, with the fact that the scheme on Reid basically gives open subject possibilities for you. Because there's no structure to the data, you can ask questions on the fly on. You can use that to investigate, to troubleshoot and allies and take remedial actions on what's happening. And now, with our new acquisitions, we have added additional capabilities where we can talk, orchestrate the whole Anto and flow with Phantom, right? So a lot of these acquisitions also helping unable the market. >> So we've been talking about TAM expansion all week. We definitely hit it with Charlie pretty hard. I have. You know, I think it's a really important topic. One of things we haven't hit on is tam expansion through partnerships and that flywheel effect. So how do you see the partners ship with Splunk Just in terms of supporting that tam expansion the next 10 years? >> So, uh, analytics, particularly log and Alex have really taken off for us in the last year. As we put more focus on it, we want to double down on our investments as we go through the end of this year and in the next year with with a focus on Splunk um, a zealous other alliances. We think we are in a unique position because the rollout of smart store right customers are always on a different scale in terms of when they want to adopt a new architecture right. It is a significant decision that they have to make. And so we believe between the combination of flash array for the hot tear and flash played for the cold is a nice way for customers with classic Splunk architecture to modernize their platform. Leverage the benefits of data reduction to drive down some of the cost leverage. The benefits of Flash to increase the rate at which they can ask questions and get answers is a nice stepping stone. And when customers are ready because Flash Blade is one of the few storage platforms in the market at this scale out band with optimized for both NFS and object, they can go through a rolling nondestructive upgrade to smart store, have you no investment protection, and if they can't repurpose that flash rate, they can use peers of service to have the flesh raise the hot today and drop it back off just when they're done within tomorrow. >> And what about C for, you know, big workloads, like like big data workloads. I mean, is that a good fit here? You really need to be more performance oriented. >> So flash Blade is is high bandwith optimization, which really is designed for workload. Like Splunk. Where when you have to do a sparse search, right, we'll find that needle in the haystack question, right? Were you breached? Where were you? Briefed. How were you breached? Go read as much data as possible. You've gotta in just all that data, back to the service as fast as you can. And with beast Cloud blocked, Teresi is really optimized it a tear to form of NAND for that secondary. Maybe transactional data base or virtual machines. >> All right, I want more, and then I'm gonna shut up sick. The signal FX acquisition was very interesting to me for a lot of reasons. One was the cloud. The SAS portion of Splunk was late to that game, but now you're sort of making that transition. You saw Tableau you saw Adobe like rip the band Aid Off and it was somewhat painful. But spunk is it. So I wonder. Any advice that you spend Splunk would have toe von as pure as they make that transition to that sass model. >> So I think definitely, I think it's going to be a challenging one, but I think it's a much needed one in there in the environment that we are in. The key thing is to always because two more focus and I'm sure that you're already our customer focus. But the key is key thing is to make sure that any service is up all the time on make sure that you can provide that up time, which is going to be crucial for beating your customers. Elise. >> That's good. That's good guidance. >> You >> just wanted to cover that for you favor of keeping you date. >> So you gave us some of those really impressive stats In terms of performance. >> They're almost too good to be true. >> Well, what's customer feedback? Let's talk about the real world when you're talking to customers about those numbers. What's the reaction? >> So I don't wanna speak for Broth, so I will say in our engagements within their customer base, while we here, particularly from customers of scale. So the larger the environment, the more aggressive they are to say they will adopt smart store right and on a more aggressive scale than the smaller environments. And it's because the benefits of operating and maintaining the indexer cluster are are so great that they'll actually turn to the stores team and say, This is the new architecture I want. This is a new storage platform and again. So when we're talking about patch management, cluster expansion Harbor Refresh. I mean, you're talking for a large sum. Large installs weeks, not two or 3 10 weeks, 12 weeks on end so it can be. You can reduce that down to a couple of days. It changes your your operational paradigm, your staffing. And so it has got high impact. >> So one of the message that we're hearing from customers is that it's far so they get a significant reduction in the infrastructure spent it almost dropped by 2/3. That's really significant file off our large customers for spending a ton of money on infrastructure, so just dropping that by 2/3 is a significant driver to kind of move too smart. Store this in addition to all the other benefits that get smart store with operational simplicity and the ability that it provides. You >> also have customers because of smart store. They can now actually bursts on demand. And so >> you can think of this and kind of two paradigms, right. Instead of >> having to try to avoid some of the operational pain, right, pre purchase and pre provisional large infrastructure and hope you fill it up. They could do it more of a right sides and kind of grow in increments on demand, whether it's storage or compute. That's something that's net new with smart store um, they can also, if they have ah, significant event occur. They can fire up additional indexer notes and search clusters that can either be bare metal v ems or containers. Right Try to, you know, push the flash, too. It's Max. Once they found the answers that they need gotten through. Whatever the urgent issues, they just deep provisionals assets on demand and return back down to a steady state. So it's very flexible, you know, kind of cloud native, agile platform >> on several guys. I wish we had more time. But thank you so much fun. And Deron, for joining David me on the Cube today and sharing all of the innovation that continues to come from this partnership. >> Great to see you appreciate it >> for Dave Volante. I'm Lisa Martin, and you're watching the Cube?