Announcer: Live from Las Vegas, it's theCUBE. Covering Splunk .conf19. Brought to you by Splunk. Hey welcome back everyone. It's theCUBE's covergae here at Las Vegas for Splunk's .conf19. .conf19. This is Splunk's 10th year doing .conf, theCUBE seventh year of coverage. We've watched the progression of the security. The data market, log files, getting the data. The data exhaust turned into gold nuggets. Now it's the centerpiece of data security, data protection and a variety of other great things and important things going on. And we're here, two great guests from Splunk. I have Splunk's sitting vice president and general manager of security markets and Oliver Friedrichs, the VP of security automation. Guys great to see you again, we just saw you in NATO's reinforce. Thanks for coming back Thank you for having us. So you guys are now security operations suite, last year. Okay. Now its being discussed here. What's the update? What are customers doing? How are they embracing the security piece of it? Wow, well its been a very busy year for us. We really updated the entire suite. More innovation going in ES6.o got announced and Phantom and UBA. Every product is getting some major enhancement. Focusing on scale for example: ES now we have customers running in the cloud, like 15 terabytes. And that's like three X and in on PRAM it's like 50 terabytes. Five O with search head classier. So that's one example and Phantom throughout the years is just lots of capabilities we're adding. Case management was a major theme and that's actually the release before the current one. So, we've been really innovating and focusing on that just to summarize sort of the suite. Right, UBA continue to be the machine learning driven and there's a lot of maturity that goes into the product and there's a lot more scale. Back up and restore was like one of the major features because it's become more mission critical but what's really, really exciting is how we're using a new product called Mission Control to bring everything all together. I want to get into the mission control Hiyan because I love that announcement. Just love the name and what's behind it but staying on the suite. You're talking about, it's a suite. It's a portfolio and one of the things that's been consistent every year at at .coms of our coverage and reporting has been the evolution of a platform, an enabling platform. So, as that evolves does the guiding principles remain the same? How are you guys single? Because now you're shipping it, its available. It's not just a point product; its a portfolio and an ecosystem following behind it. You know the app showcase, developers, security and compliance, foundation and platforms and just IT ops and AI ops are having. So you have a variety of things coming out of a platform. What's the guiding principle these days? Is it continuing to push the security? Can you share the vision? Yeah, our guiding principle and vision is really we believe the world as we digitize more as everything's happening at machine speed. As people really to go do analytics to bring insights into things and bring data into doing. That's really turning that into doing. So it's the security nerve center vision that continues to guide what we do and we believe security nerve center needs really data, analytics and operations to come together and again I've got to tell you. Mission control is one of the first examples. That we bring all of the entire stack together. And you talk about ecosystem. It takes a village, its a team sport and I'm so excited to see everybody here. And we've done a lot of integrations as part of the suites to continue to mature. More than 1900 API integrations. More than 300 apps, just as Phantom evolved. That's a lot of automated actions people can take. In the response from the people in the hallways and also the interviews. Have been very positive. Oliver I've got to get to mission control. Phantom was a huge success. You were a big part of taking that into the world. Now, part of Splunk. Mission control, love the name; Mission control. So this is the headline by the way. Splunk mission control takes off. Supercharging security operations. So when I think mission control, I think NASA. You know launching rockets, SpaceX. Really new innovation because the big story behind it is unification. Can you share where this came from. What it is? What's in the announcement? Yeah so this is all about optimizing how sock analysts actually work. So if you think about it; a sock typically is made up of literally a dozen different products and technologies that are all different consoles. Different vendors. Different tabs in your web browser. So for an analyst to do their job they're literally pivoting between all of theses consoles. We call it swivel chair syndrome. You're literally are frantically moving between different products. Mission control ties those together and we started by tying Splunk's products together. So we allow you to take our SIM which is enterprise security or UBA product; Splunk UBA and Phantom. Which is our automation and orchestration platform or store platform and manage them and integrate them into one single presentation layer. To be able to provide that unified sock experience for the analyst. So, its an industry first but it also boosts productivity. Letting analysts do their job more effectively to reduce the time it takes. So, now you're able to both automate, investigate and detect in one unified presentation layer or work surface. You know the name evokes, you know. Dash boards, NASA but what that really was, was an accumulation and extraction of data into a surface area where people who are analysts can do their job and manage launching rockets. But I want to ask you a question because this all is based on the underpinnings of massive amounts of volume of data and the old expression: Rising tide floats all boats. Also is rising tide floats more adversaries. Ransomware, taxes, the data attacks are everywhere but also there's value in that data. So as the data volume grows. This is a big deal. How does mission control help me manage and take advantage of that volume? How do you guys see that playing out? Yeah so mission control really optimizes the time it takes to resolve an incident ultimately because you're able to now orient all of your investigation around a single notable event. So, it provides an optimal work surface where an analyst can see the event, interrogate it, investigate it, triage it. They can collaborate with others. So, if I want to pull you into my investigation, we can use a chat op-sec capability. Whether its directly in mission control or slack integration. We can manage a case like you would with a normal case management tool to be able to drive your incident to closure, leveraging a case template. So, if I want to pull in my crisis communications team, my legal team, my external forensics team and help them work together as well. Case management lets me do that and triage that event. It also does something really powerful. Hiyan mentioned the operations layer. The analytics and the data layer. Mission control ties together the operational layer. Where you and I are doing work. To the data layer underneath. So we're able to now run queries directly from our operation layer into the data layer. Like SPL queries which Splunk is built on. From the cloud where mission control is delivered from to on premise based Splunk installation. So you could have mission control running in the cloud. Splunk running on premise. Then you could have multiple Splunk on premise installs. So, you could have one in one city. Another one in another city or even another country. You could have a Splunk instance in the cloud and mission control will connect to all of those. Tying them together for investigative purposes. So, it's very powerful. Huge powerful. When this comes back to the new branding data to everywhere and I see the themes everywhere. The new colors, the new brand. Congratulations but its about things with doers, doing stuff. Thinking and making things happen. Connecting these layers is not easy. Okay and diverse data is hard to get access to but diverse data creates great machine learning in AI and AI creates business value. So, we see a flywheel develop and that you guys got going on here. Can you elaborate on that data to everywhere? And why this connective tissue that you're talking about is so important. Is it access to the word data? Is that flywheel happening? How do you see that playing out? Well Ill start with that because we're so excited. We're a data to everything company. Our new tech line is turning data into doing and this wouldn't be just possible without technologies like Phantom coming in. Right. We have traditionally been doing really great with Splunk enterprise. With data platforms, and with analytics. Now with Phantom we can turn that into doing. Now with some of the new solutions around data stream processing. Now we're able to do a lot of things in real time. You mentioned about the scale right. Scales changes everyday. So for us I think we're uniquely positioned in this new age of data and it's exploding but we have the technology to help contain it and it's representing your business. We have the analytics to help you understand the insides and it's really the one that's going to impact your day to day enabling your business and we have the engine to help you take actions. So, that's the exciting part. I want to talk about this flywheel because diverse data sounds great. It makes sense, more data we see, the better the machines can respond and hopefully there's no blind spots. That creates good AI right. Yeah And everyone kind of knows that if they're in data but customers who may not have the ability to do that. I think this is where the connecting these platforms together is important because if you guys can bring over data. It could be ugly data, unstructured data. So, data is data but its not always in the form you need. Which has always been a challenge in the industry. How do you see that flywheel developing? Yeah I think one of the challenges is the normalization of the data. How do you normalize it across vendors or devices? You know so if I have firewalls from Cisco, Paulo Alto, Checkpoint, Juniper. All of that data is not the same but a lot of it is firewall blocked data for example that I want feed into my SIM or my data platform and analyze. Similarly across end point vendors, you know you have Semantic, Mcafee, Crowd Strike and all of these vendors. So, the normalization is really key in normalizing that data effectively so you that you can look at the entire environment. From a single pane of glass essentially and that's where Splunk does really well. Is both our scheme on readability to be able to correlate that data without having a scheme in place but then also the normalization of that data is really key and then it comes down to writing the correlation searches, or analytic stories. To find the attacks in that data next and that's where we provide ES content updates for example. That provide out of the box examples on how to look for threats in that data. So, I want to get you guys reaction to some observations that we've made on the cube. In the skew of our cube observability. Pun intended. Love it. We talk to people, our CIO's and CSO's about how they look at cloud security. From collecting logs and work loads, tracking cloud apps and on premise infrastructure and we asked them who's protecting this? Who is you go to security vendor? And it was interesting because cloud was in there. Cloud is number one if its cloud. Or not number one but they usually rely on tools in the cloud but then when asked on premise who's the number one. Splunk clearly comes up in pretty much every conversation. It's antic dote, its not a scientific survey its more of a hand picked. What that means is Splunk is essentially the number one provider with customers in terms of managing those workloads, logs to cross apps, but the cloud is now a new equation because now you've got Amazon, Azure and Google all upping their game on cloud security. You guys partner with those guys. So how do guys see that? How do you talk to customers? Because with an enabling platform that you guys are offering; you're enabling applications. Clouds have applications. So, how do you guys tell that story with customers because your number one right now. Yep. How do you thread that needle into this explosive data in the cloud and data on premise? What's the story? So, I wish you were part of our security super session. We actually spend a lot of energy talking about how the cloud is shifting the para dime. The para dime of how software gets built, deployed and consumed. How security needs to sort of really rethink where we start. Right, we need to shift left. We need to make sure that, I think you used to word observability, right. Yep. You got to start from there. That's why as a company we bought, you know: signal fx and all the others. So the story for us, it starts from our ability to work with all the partners. You know they're all like great partners of ours. AWS and TCP and Microsoft in many ways because the eco system for cloud. It's important. We're taking cloud data. We're building cloud security models, actually our research team just released that today. Check that out and we've been working with customers and building more and more use cases. We also spend a lot of time with our CSO. Customer advisory council. Just happened yesterday. Talking about how they would like us to help them and part of that, they were super excited. The other part was like oh we didn't understand how complicated this is. So I think the story has to start in the cloud E-world. You've got to do security by design. You've got to think about automation, because automation is everywhere. How deployment happens. I think we're really setting a very interesting intersection of that. We bring the cloud and (mumbles) together. You mentioned CSO's. I wonder if I can get cameras in that room. I'm sure they don't want any cameras in the CSO's room. Oliver, taking that to the next level. Complexity is not necessarily a bad thing because software can extract away complexity. Its in the history of the computer industry that, that's where innovation can happen. Digging away complexity. How do you see that? Because the cloud is a benefit. It shouldn't be a hindrance. So, you guys are right in the middle of this big wave. What's your take on all this? Yeah, look. I think cloud is inevitable. I would say all of our customers in some form or another are moving to the cloud. So, our goal is to be the... Not only deliver solutions from the cloud but to protect them when they're in the cloud. So, being able to work with cloud data source types. Whether its Azure, AWS, GCP ans so on is essential. Across our entire portfolio. Whether its enterprise security but also Phantom. You know one exciting announcement that we made today is we're open sourcing 300 Phantom apps and making them available with the Apache two dot 0 license on Github. So you'll be able to take the integrations for cloud services. Like the many AWS services for example, extend them. Share them in the community and it allows our customers to leverage that eco system. To be able to benefit from each other. So, cloud is something that we work with not only from detection. Getting data in but then also taking action on the cloud to be able to protect yourself. Whether its; you know I want to suspend an Amazon Omni or instance right, to be able to stop it when its infected. For example, its finishing that whole UDA loop and the investigate, monitor, analyze act cycle for the cloud as we do with on prem. I think you guys are in a really good position. Again I'd said this in 2013 but I think my adjustment today would be, you know in talking to Andy Jackson CEO of AWS. He and I always talk all the time around the question he gets every year. Is Amazon going to kill the eco system? Everyone's afraid of Amazon. He says John, no we rely on third party. Our eco system is super important and I think that as on premises and hybrid and cloud become so critical. That it's really the IOT equations with industrial that really makes you guys, really in a good position. So I think Amazon would agree. Having third party, if you want to call it that. I mean supplier. Is a critical linchpin. Because the data needs to be scalable. And we need eco system for security and we.. You know one of the things I shared is we really in a A symmetric warfare. Whereas adversaries. You know you talk about AI and machine learning, Data at the end of the day is the oxygen for really powering that arm race and for us if we don't collaborate as a eco system. We're not going to have an upper hand because the other side as I always say. There's no regulations, there's no lawyers. They can share, they can do whatever. So, I think as a call to action for our industry we got to work together. We got to really sort of share and advance our industry together. Congratulations on all the new shipping, general availability of ES 6.0. Phantom is continuing to be a great success. Congratulations on the open stores. You got your app out there. You got mission control. You guys keep on evolving, Splunk. The platform. You've got apps. Showcase here. Good stuff. Beginning of the new data age. Super excited. We're riding the wave together with Splunk. Been there from day one. Actually 30 year in but their tenth year dot com. Our 7th year covering Splunk. I'm John Furrier, thanks for watching. We'll be back with more live coverage. Three days of cube coverage here in Las Vegas. We'll be right back. (light techno music)