>>Live from Las Vegas. That's the Q covering splunk.com 19 brought to you by Splunk. >>Hey, welcome back. Every once the Q's live coverage here in Las Vegas for Splunk's dot com 2019 it's Splunk's 10th year having the events, the cubes coverage seven years, the cube independent media company breaking down, extracting the signal from the noise dot on the top people, top experts, tell them the stories that matter. We're here with Mike EG, director of applied research for coming red Canary. Mike, thanks for coming on. I appreciate it. Thank you. So red Canary is a company doing here. What's the focus? What does it company do? Take a minute to explain red County area and why you're here at.com. Sure, thank you. So we are a managed endpoint detection and response organization. We partner with organizations of all sizes to help them eradicate evil, for instance. So we help them with monitoring their environment. We investigate, respond and act on threats or so on the notes here, you guys have a topic session finding titled finding evil is never an accident, how to hunt in bots. >>So using bots, hunting down evil, you guys are out there doing this as a business. What does it mean? What does he, what if, first of all, what is evil and how do you hunt it down? Take us through that Sarah. So the talk is based around the boss of the SOC data set that was released by Splunk. They have version two, version one and version three will be coming out soon and they just released version four here. And so the talks all focused on how to find evil within bots. The three are actually V forum, sorry, the one that just came out. And so what we do as an organization is we help businesses get through their data, kind of like your guys' mission as well. Like get through them all the haystack, find the bad things and present that to our customers in a really fast way. >>So that's kind of where we are today. Archives to find the good content. Great experts like yourself tell about your role. You're like a researcher, but it's not like you're sitting back there applied research we applied means it's not like just making it up, you know the next moonshot, you guys are applied specifically to hunting down evil. That's your role. What does that entail? You guys have to sit back, zoom back, look at the data that the Splunk's providing some benefits with their, they're exposing their data. What does it mean to hunt down? What's, what's the requirements? How do you set that up? What are you looking at you going through day? Those are the dashboards. What are the what? What, what do you deal with and your job? >> Yeah, so like a day to day or like kind of what our team does is we focus on like what's going on previously, what are we seeing in the wild? >>Like what campaigns are happening and then my role within my team is focused on what's coming. So what are, what are red team's working on? What are pen testers looking into? Take that information, begin testing and begin building proof of concepts. Put that back into our products so that whether it's two weeks, six months, two years, we have coverage for it, no matter what. So a of us, a lot of our time is generating proof of concepts on what may be coming. So there's a lot of very unique things that may be in the wild today. And then there's some things that we may never see that are just very novel and kind of once, once, once a time kind of thing. Right? >> So you know, we love talking about data that we've been covering data since 2010 the thing that's interesting and I want to get your thoughts on this because you know, eval has arbitrage built into it. >>They know where to hide. And so the question is, is that what are you looking at matters, right? So the so, so, so there's a lot of exposure. But the question I have for you is, what is the problem that you're solving? Why do you guys exist? Was it because evil was better to adversaries? Were better at hiding? Is it automation can solve patterns they haven't seen yet? Because if you automate something you haven't seen yet, so is it new things? So why, what's the problem statement that you guys are attacking? Yeah. So hit it. It's a lot. There's a lot, there's a lot to inbox. Um, so like in particular in this instance, seeing something that happened yesterday and then what's happening today is actors are working to break process lineage within what's happening on the employee. Because actors know that everything's happening on an employment. >>Yes, there's traffic coming in, but there's execution going on in a single place on that box. So their whole tactic now is to try to break that lineage. So it's not Microsoft word spawning something. It's now Microsoft word opens and as spawns over there off another process, right? So we're here to monitor those types of behaviors. And that's pretty much like the core of red Canary. We've always focused on the end points. We only do emblem implant based products. We don't like monitor networks. We don't monitor firewalls or anything like that. We're very focused, uh, hyper focus on employee behaviors. And so, and that, that's the cool part about our job is we get to see all the really new things that are happening. And if you look at it, these breaches in the past, it's happening on the endpoint and that's probably where we are. >>And actually day the Canary in the coal mines all expression, everyone knows that or if older might know that. But you know, identifying and being that early warning detection system really kind of was the whole purpose of the Canary in the coal mine, red Canary red teams. I'm kind of putting it together. What are some of the things that you've seen that, that as an example of why you exist? Because it, is it new things, is it that, you know, Hey, our known thing or balls, what are some of the examples that you can point to that, that point of why you guys exist? Yeah, sure. Um, a good example is kind of like the looking forward stuff where red team's going, where actor's going. So a lot of them are moving to C sharp and.net Tradecraft, which is very native to the operating system. >>And windows. Um, so if they're doing that, they're moving away from what they're always, what they've been used to the last few years, which is PowerShell. So our sales kind of dead then now we're going to C sharp and.net. So a lot of our focus today is how can we better detect those? And vendors are moving that way too. They're, they're starting to see that they have to evolve their products to the next level order to detect these behaviors. Cause I mean that's, that's the whole reason why a lot of these EDR vendors are here. Right? And, and it's all data like you said. And so feeding it into a Sam or with a Splunk in particular, you're able to correlate those behaviors and look at very specific things and find it real well know. One of the things that a lot of security practitioners and experts and advisors have been looking at over years is data. >>So it's not, it's no secret data and critical. But one of the things that's interesting is that data availability has always been an issue. Sharing data. And then the message here@splunk.com for the 19 is interesting. You've got data diversity now exposure to the fabric search concept there they got accelerated and realtime times too. We've always had that. But as it kind of comes together, they're looking to get more diverse aperture to data. Yup. Is that still an ongoing challenge and what are, cause if you have a blind spot, you only, this is where the potential danger. How do you guys talk about that? What's the narrative around diverse data sets? How to deal with them effectively and then if blind spots exist, what do they look like or how do you figure that out? Yeah, we, so I, I've been with red Canary for over three years, about three years now. >>And one of the things I started at was a technical account manager incident handler. And so I helped a lot of our customers go from, we bought you red Canary to monitor points, but what should we do next? And so we, our incident handling team will come in and assist a customer with, you guys should start going down this road. Like, how are you bringing everything together? How are you analyzing your data down to just operationalizing like some use cases and playbooks within their data. Like you got EDR. Now let's look at your firewalls. How, how rich of that data can be helped enrich what the EDR information like here's the IP address and carbon black response. Where's it going this way on your firewall or your appliance is going out and you know, and things like that. So we have a whole team dedicated to it and that's like the focus of the. >>We took a poll in our, we have a, you know, this acumen operate for 10 years. It's our seventh year squad, Dave and I took a poll of our cube community, um, but 5,000 alumni and we asked them about cloud security, which vendors are the best and Splunk is clearly number one in third party data management. I got him out, he's got a category but cloud security. How should the cloud vendors provide security, Google, AWS and Azure. But outside of the core cloud providers, Splunk's number one, clearly across the board. How is Splunk doing in your mind? How do you guys work with Splunk? What's the dynamic? What's your relationship with Splunk and where Splunk position in your mind? Because as cloud becomes more prevalent with cloud native, born in the cloud and with hybrid there's a unification, not just with data. They have infrastructure operations. >>Yup. So Splunk role and then their future prospects share. Um, so red Canary uses Splunk too. So we, we process I think like 30 terabytes plus of data a day coming to our engine that we built. And that's the kind of like proprietary piece of red Canary. 30 terabytes of data flows through. We use a like a DSL, like a language that sits on top of it, that queries they're looking for those behaviors. We send those tip offs as we call to Splunk and we actually track a lot of the efficiencies of our detectors that way. So we look for how low detectors doing, is it triggering, is that false positives? How many false positives over time. And then also how much time our analysts are spending on those detectors. You know, they get a detector or a in event and they review that event and they're spending 2030 minutes on it and well what's wrong with it? >>Is there something going on here? Do we need to cut something back and fix it? So we use Splunk a lot of, for like the analytics piece of just how our operation works. It's awesome. It's really neat to see >> him for, one of the things that I've been proud of with covering Splunk is we showed them early when they were just started, then they went public. Yeah. Just watching how they've grown. That did a lot of great things. But now the theme is applications on top of Splunk. They're an enabling platform. They had a couple of key pillars. I want you to talk about where you guys fit and where you see the upside. So swamp has the developer area, which is, they have all these deck, new developers, security and compliance and fraud, um, foundations and platform stuff. And then the it ops does this analytics, AI ops, they've got signal FX, cloud native. >>So those are the kind of the four key areas around their apps, their app strategy. Do you guys cut across all those? You are you guys developing? Are you doing all, what's the, what's the red Canary fit into that? Yeah, it seems like you've probably our cross section. Yeah, probably most likely fitting into a few areas within Ed's. My team has developed a couple apps for Splunk, so we've published those. We have like a app that we pushed out. We have a carbon black response app, which we co-developed many years ago. Those things are all out there. We've helped other people with their apps and, but yeah, it's, it's a little mix of everything. And I think the big core thing that we're all looking to today is like how can we use more of the machine learning toolkit with Splunk, um, for our customers and for us internally. >>Like how can we predict things better with it? So there's, there's a lot of little bit of focus of that same thing. In your opinion, B2B out in the field, you mean the front lines, now you're in research, you got that holistic view, you're looking down at the, on the field, the battlefield, if you will, the adversaries will evil out there. What do you look for? I mean, what's the, what's the triggering event for you? How do you know when you need to jump in and get full ready, alert and really kind of sound off that, you know, that Canary alarm saying, Hey, you know, let's take action here or let's kind of like look at that and take us through some of those priorities. What's the, some of the workflow you go through? Yeah, so um, we'll end up either sending a detection to a customer and either they'll trigger like, Hey, can you give us more context around this event that happened? >>Or it will be, we had a pen test, red team, bad thing happen. Can someone else investigate further? And so I'll come in might from my perspective, I'll come in kind of like a, almost like a tier three in a way. We'll come in, we'll do the additional research beyond what our detectors already caught looking for. Many things, you know, did, was there something we missed that we can do better at detecting next time? Is there any new behaviors involved with something drop that you know, that the actor had left within the environment that may have gone by antivirus prevention controls, anything like that. Um, and then also just understanding their trade craft. Right? So we track a lot of teams and disturbed behaviors and we're able to kind of explore and you know, build those you gotta you gotta be on everything. Basically you gotta survey the entire landscape. >>Yep. You come in post event. Yeah. Do the collateral damage analysis and the dead map. That's a really cool thing about like the Splunk boss's a sock data set. Right. And that's where my talks a lot about is it's a very like, basic talk, but it focuses on how to go from beginning to end investigating this big incident that happened. You know, cause when you get an a detection from like in organization you might just find that it was delivered to a word doc, a couple of things executed. But was there something else that happened? Right? And there's like your Canadian Nicole mind piece, right. You know, finding other things that occurred within the organization and helping ideally your data essentially is the foundation for essentially preventative side. So it's, yes, it's kind of a closed loop kind of life cycle of yep. Leverage operating leverage data standpoint. >>Yeah, it's a solid point. We, I coined the term like three years ago called driving, driving prevention with detection. So take all your detection logic and understanding and things you see with products, even EDR Avi, and use that to drive your prevention. So it's just a way that if you're just alerting on everything, take that data and put it into your preventative preventative controls. So Michael got asked you, how is cloud, how is cloud changing the security formulas? Because obviously scale and data are big themes we hear all the time. I mean has been around is not a new thing. But the constant theme that I see in all my cube interviews we've done over the years and this year is the Nord scale comes up, is unprecedented scale, both in data volume, surface area needs for things like red Canary teams to be in there. What do you see with the impact the cloud is it really should change the game in any way? >>He has it's speed as new cloud. It's the speed of new cloud technology that seems to constantly be coming out. Like one day it's Docker, next day it's Coobernetti's and then there's going to be something tomorrow. Right? Like it just constantly changes. So how can vendors keep up with logging, making sure it's the right type of logging and being able to write detection on it or even detect anything out of it. Right. One, the diversity too is a great point. I want to know. Firstly, blogs are great. Yeah, you got tracing. So you have, so there's now different signaling. Yeah. So this app now a new thing that you got to stay on top. Oh, totally. Like look at any, any MSSP, they have thousands of data sources coming in. And now I want you to monitor my Coubernetties cluster that scales horizontally from 100 to 5,000 all day, every day like Netflix or something. >>Right? And I want you to find the bad things in that. It's a lot going on. And this is where machine learning and automation come into play because the observability you need the machine learning. They've got to categorize this. Okay. Again, humans do all this. No, yeah, it takes a machine. I'm using machines with human intelligence in a way, right? So have a human driving the machine to pull out those indicators, those notables. Michael, thanks for coming on. Great insight. Great signal from the noise. You're still distracting there. Great stuff. Final question for that to end the segment. In your opinion, what's the top story in the security industry that needs to be continually told and covered and reported on? >> Ooh, that's, that's a good one. Um, you hear any threats, platform development, new stacks developing. Is there like a one area that you think deep that's the high order bit in terms of like impact? Yeah. I think focus on, I'm going to say point cause that's where everything's executing and everything's happening. Um, and that's the biggest thing that it's only gonna get more challenging with IOT edge and industrial IOT. Yes. The edge is the end point. End points are changing. The definition is changing at exact right stuff coming on from red Canary here in the queue, the Canary in the coal mine. That's the cube. Brand-new. The signal here from.com 19. I'm John furrier back with more after this short break.