Building digital resilience with unified security and observability (sponsored by Splunk) (Splunk)

How's everybody doing today? Right. You guys just came here to sit down. I know that. Right, because it's, uh, I don't know if you're like me, I'm tired. Um, so I, I wanted to kick it off like we are. We wed this building, digital resigns with unified security observable. What we really wanted to call was two fat guys and an idea, but they wouldn't let us do that for some reason. I thought it was too good looking guys. That's right. Like we're, we're sexy like Austin Powers, right?

Um but anyway, I, I want to say thank you for everybody showing up here. Uh hopefully you'll get something out of it and, um, we'll, uh, we'll kick this off. So, uh, real quickly, uh, my name is, uh Tony Pierce. I'm one of the field CTOs at S uh, you guys can look me up. I'm not gonna go in, but most of my background is Department of Defense and, uh, I did a little thing as consulting, but my specialty is, uh, basically focusing on cybersecurity and resilience around. So I, I spend a lot of time with like Fortune 100 Fortune 500 companies.

Thank you, Tony. My name is Michael Guha. I lead the security advisory team for North America for Splunk, been at Splunk for about three years. But most of my career I spent on the practitioner side building either security programs or operational programs. Last stop before joining the dark side. As some of my friends and Carl colleagues like to say I was senior vice president at Mastercard where I ran their core operations. So I was responsible for the $6.5 trillion a year network. Uh security and operations also spent time at Express Scripts and at a small health care system, about a $6 billion integrated health delivery network, Sisters of Mercy in St Louis.

So we're really excited to be here with you today and share with you some of our stories around resilience. When we talk about Splunk. These are some of the speeds and feeds by Splunk, but I'm going to just address the elephant in the room. Yes, a couple of months ago, it was announced we were being acquired by Cisco. We are really thrilled about that announcement. Um sometime in 2024 it's scheduled to close and we're excited to be coming back next year, bigger, faster and stronger. So look forward to looking forward to, to joining the ranks of Cisco.

Um but it really doesn't change the mission that we have at Splunk and that's all about the data what we do at Splunk is we're a data analytics platform and then we use a whole bunch of other really great technology to address different work workloads and use cases for our customers. One of the things that our customers you guys have seen or have experienced is a ever-changing global threat landscape. I mean, before COVID hit, we were all going to the office, right? No, no, almost no remote work. Uh we, we had most of our workloads or at least some of our workloads were on prem some were moving to the cloud in some hybrid format, but the world is changing. And what, what what I found is companies that have the most resilient data systems, both for security and observable are the ones that thrive in that changing environment. They're able to react, they're able to send people home on a dime, they're able to move the workloads to the cloud and do so in a secure way and not impact their operations. So we talk about resilience. We're really talking about the whole picture.

Share with you a quick story when I was at Mastercard. One of the last things I did was create what we call a technical risk radar. This is a tool we used to show the board of directors what were the biggest risks to operating our operations around the globe? And we were really proud of this. It was a great, it was a beautiful picture. We had a whole bunch of underlying data and information for the board explaining why that was our top 1011, 12 risks. And we presented to the board of directors and one of the board members asked me, Michael, why isn't GDPR up on that list? And of course, I responded, that's a, that's a law that's, it's more compliance and legal. And he said, oh, contrary, GDPR has data residency requirements and a whole bunch of techno requirements that could absolutely impact our ability to operate throughout Europe. And he was right. And what I realized was the board of directors aren't looking for us just to stop the threats, the threat actors, the hackers, the ransomware, they're asking us to build it systems that are resilient, right? Because they want to understand what the risk is to their ongoing business operations. And so in that case, it really taught me that this concept was about resiliency and what the board is actually looking for.

So it's Splunk. If you think about how we built our platform, it's all about the data spunk's secret sauce is the ability to get data into a platform, a data analytics platform and then execute a whole bunch of workloads against that same set of data you notice here you see security and observable at the top. Those are our two big areas, but we also do things like fraud. We're also going to do things like financial crime, that data is so rich ot security and on and on and on. The idea is bring the data in once and then leverage that platform and let that leverage that data over and over.

I'll tell you one quick mantra that I have and that is you all have data in your, in your environments. Data is today's digital currency. Data is one of two things. It's either an asset or it's a liability and what we strive to do for our customers and make sure they're getting the most value of that data as possible.

Like one of the things is like a lot of times people don't realize this back in the day, we used to talk about cybersecurity. I've been doing in cybersecurity for 30 years, 30 plus years. I started hacking when I was like 13. I spent most of my time in the Department of Defense doing some um unique things for uh for the government. And when we think about it is, i, i said everything, everything is data. So everything is security, right? And so being able to take that end to end what i like to call it. The path of the packet is understanding how it goes through like for swan. And one of the reasons why i came over to swan, i've been here for about 11 months was that i used swn in a way to get that visibility. I knew i couldn't defend anything if i didn't see it first.

All right. You know, we always have to say, hey, you know, we want as cyber guys, we're all like, oh send me everything, right? But everything has a cost and everything has uh once you there is a tipping point, when you get too much data where you can't refine it. So time to time to detection, time to mitigation tends to be hurt. And so when you start thinking about it is when we look at our platform, i said, well, like i really wanted to do visibility first, i wanted to see everything, but i wanted to define that data. And also when you think about resilience, you true, resilience is bending. There's no, there's no, there's no company or anybody out there that's never gonna get hacked, right? It's just, it's just not gonna happen. Everybody is under threat. It's a, it's a battlefield, right? And so the the key to resilience is to be able to bend and then be able to uh come back and recover. Like the time when you like ransomware, everybody talks about ransomware attacks, the uh once, once a ransom warrant is already activated, it's too late.

All right. And so being able to respond in a certain way, but the only way you respond is to be able to create end to end visibility depending on how the attack is. So that's the, i say, i tell people like swan is nothing more than a uh a platform that answers questions and provides ability. The, how do we do that?

All right, this is where a lot of times people forget is the, the, the planning phase, they're strategic. I always break everything up again. I'm, i'm prior military. I'm retired. So i kind of think in that way, uh, because i think about like the war fighter and i think that the in cyber it's a cyber battlefield and so everything is strategic, tactical and, and to me is operational. And so a lot of times what we do is we want to be strategic, we want to be able to mount to a uh uh to a framework. I like to use an s cs f because it answers a lot of questions here at uh funk. We actually have a compliance app where you, it's free, you can download it and you and as long as you have a good cim mapping, um you can, you can do a lot of your compliance. All right, i call it compliance over time, not a moment in time, right? But it all it feeds in by tactical outcomes.

Uh again, we talked about earlier saying, hey, you know, from cyber, send me everything, right. But everything is not always, you know, we forget the idea of defense in depth. And so being able to be tactical and understanding that data as it flows through to get your time to detection, time to mitigation down pat, right? And, and everything feeds into operation understanding what business critical. Like a lot of times i'll tell, uh, when i go and i talk to, a lot of times i talk to a lot of cs and cto, i was like, hey, that's a partnership between you two, right? The cto organization controls the data. They, the infrastructure ciso is the analyst, they are the receivers of the data. So, but everything feeds the operations. And a lot of times i'll just ask like, what is business critical? And you wouldn't believe how many times that they don't know what that is.

All right, because the cyber guys do first in, first out, well, being able to define that and do that date of classification and understanding that the, you know, just to, just to add to that, you look at this, this is the, this is the strategy, you have strategic outcomes, tactical outcomes and operational outcomes. What i'll tell you is and i can't believe, you know, other vendors are cringing right now. Products don't solve your problems. Let's just be very clear. It's how you operationalize technology that solves your problems, right? So a lot of times you'll see companies telling you, hey, we're going to solve your problems. But if you buy our product, understand the hardest thing to do is operationalize that technology in an effective way in your operations. So when you see down here, you have to get to operational outcomes. Otherwise, what do you have? You have shelf warre.

Now, how do we do that though? Right

You, you need to get everything into a like i, i know a lot of the, the uh the marketing buzz was like, oh a single pane of glass but it really is like that. How do i, i got to get into one platform because i need to collate and i need to aggregate the knowledge, right?

One thing about we do is funk is we talk to just about anything. It's pretty simple. Time to value is pretty solid. But understanding and then i, i kind of like to use the nest model again. Ii i, we're all a product of our society. I came from the government. I like n just because it's simple, a way of simplifying a complicated thing but i like compliance over time. The governance. You guys all seen that n is changed, you have the five now, right? Governance is in there.

Um recover time of mitigation, time to detect time to isolate and time to identify all those are time, those are all things. But the only way you can do that is data first, right? You have to understand your data. And one of the things that i liked about sunk when i and i, i've been around a long time is when i started bringing it in for uh uh for the government was i needed something that talks to a lot of custom applications, it talks to just about anything and bringing it in so i can correlate that injury because again, for us, uh for the department of defense, it was all about the war fighter. All right. Next slide.

Now, how do we do that though? All right. And then i, uh one of the things i did is i built this, this pyramid uh to kind of help understand all that, right? So when you talk about governance, like i, i'll be honest, i'm a, i'm a cyber guy. Uh i it took me forever to like to talk to the a guys because they just like, they drive me insane. Um and compliance, right? They like, i want to focus on threat and, but it took me forever to understand that like, hey, i need to make them part of my conversation because in by getting them involved, it simplifies my outcomes, right? If i get them involved during the uh the what i call the cyber playing field, it's easier on the end. I don't have to stop what i'm doing to answer their question.

So being able to bring that in also defining the roles and responsibility. It's all part of resilience. I design a lot of fusion centers and socks for. That's kind of like what we do from an advisory. And one of the things i'm like, you have to understand the roles and responsibilities like network guys thinking in a totally different way than an it guy. Cyber guy thinking are totally different. Back in the day, we used to say, hey, like you used to be a generalist, right? In cyber, you, you, you kind of knew the entire path of the packet, you knew defense in depth. But data has grown so much and our companies have grown so much. You have to start being more niched and understanding the data, but you have to get it all into a consolidated platform. And then also i need to get more predictive, like a lot of what a lot of times i see is that we're spending a lot of time looking at the known and not focusing on the unknown and the unknown is where the bad things happen. But we're spending so much time on the known because we haven't defined it, we haven't tagged it, we haven't classified it. And so a lot of times when i go in and i talk to them, i say in resilience, you gotta understand your applications, you gotta understand your data type and you got to get into a platform. So that because let's be honest, people like, like uh most organizations are siloed, they don't talk to each other. And i always say, you know, uh people don't talk to each other but tools do. So i use tools to facilitate communication. And so this is kind of how we've done it.

So the second part of the resiliency framework pyramid is this idea of security by design my favorite terms i hear in the industry are things like secure dev ops and i'm like, you've already failed. It's not security applied to dev ops. Security needs to be built into dev ops. Right. The reality is if you're not checking the code as you build the code, you're absolutely going to miss it or it's going to be ninth the ninth hour and you have to deploy code and you find a vulnerability. But hey, we can't turn the business off. This is capability we need for christmas or black friday. So security by design is absolutely critical. It starts with network security. It's an application security. It's got to be built into the, the code that you build. And of course, endpoint security is key. So when we, when we talk about security, it can never be an afterthought. If it's a bolt on or an afterthought, then it's, it's already done. You, you know, you're going to be fighting uphill the rest of the way and probably losing the battle nine times out of 10.

Yeah. So one of the things that i, i like to tell, like when a lot of times we measure resilience by vulnerability, right? Have you ever seen those big long reports that the vulnerary scanners gave you like 20 nobody has time to read all that crap. Um sorry, maybe i shouldn't say crap because i'm going live here. But the one of the things i tell is a functional result. I was like, you know, i bring in your vulnerability scanner data, create a dashboard very something. It's very simple, like create a dashboard, bring in your vulnerability data and bounce it off of your i pen. All right, understanding your threat, not landscaping. And then now by finding that you actually can save a little bit of money because a lot of times you're cleaning up the white noise and you're focusing on the data nets, the stuff that you actually can do because the rule of thumb is like if you try to patch everything, you patch nothing. All right, because you just can't do it, right? It just our networks are so large now, right? And so by bringing those two in now, you have your threat landscaping and you have your vulnerability, what am i scanning and what is my threat landscape? And then you bring in that patch data. Like a lot of times people use sscm, they use endpoint manager, there's big fix, there's all these different days, but a lot of times people don't look at what was not patched. So bringing all that stuff in will actually address this risk. So you can reduce risk. You can never, you can never never reduce threat. You can always reduce risk though by implementing different controls, right? Understanding like a lot of us in this room are practitioners, remember log for j and everything the world stopped, right? And everybody's like, oh you need to go address that and then the i but it was, that was a great example of where cyber and it have to work together for a common result, right? How, what was, what was the most important that i needed to do first? All right. And that's part of that resilience, understanding that cv e data and, and doing what needs to be done, which is they bringing in that threat intelligence to be proactive, not reactive.

And when you start thinking about im and third-party trust, like a lot of our companies were so integrated with other people. Like think about the solar ones hack like that was just a third party. They used a third party to be able to and it affected the world, anybody who has solar ones and we all know it, they and, and now i think in the big thing in the news now is, is that that so is, you know, for the first time in history, ac o is now held being held accountable for uh they're being sued, right? And so, but understanding that data, but you can't do that unless you bring the data in and understand what is the risk and where it is and what they and review some of that.

And then the the key to that when you get to the maturity model is, is automation, right? And being able to automate a lot of this stuff is key, but you can't i, i've seen, uh, i do a lot of instant response and i've seen where people have automated too early. And the rule of thumb and sock is if it's automated, i'm not looking at it. All right. But, so you haven't defined the data, so you automate too early and then something slips through. All right, hackers know your network is that they're in there. And so being able to automate what you need to do, but that's the maturity level.

Excellent. And actually the reality is is that socks face. If you are, if you're all in or touch security operations, you know that the volume of incidents, the volume of tickets, the volume of whatever continues going up exponentially. So the only way to address that is through automation because i don't think, have you ever met a ciso that told you he had unlimited budget for ftes? No, no, never. I don't think anybody here raise your hand if you have unlimited budget. So the reality is how do you address it? You have to address it through automation. So automation is absolutely a key to any resiliency program that you put in place in your organization.

And then the next part of the pyramid um is this resiliency by design. So we talked about security by design, but the reality is we, we can only operate in silos. Uh one of the things i did at mastercard was i actually took somebody from the sock and put them in the knock. Why was that? So they had visibility because there was never an incident that was occurring that the, if it was a knock issue, the sock was chasing its tail for hours trying to figure out what the problem was or vice versa. If there's a security incident, the network operations center was chasing its tail. So the reality is these two organizations, these two functions can't operate wholly independent. They still need to be independent in some for operations perspectives. But the reality is is that they can't be independent. So resiliency isn't just a security term anymore. It's actually an it term that really calls to the fact that resiliency needs to be built in. So you see a couple of the couple of the bullet points here, integrated case and ticket system management. So they have visibility across both it ops and security. Integrated threat and tell and threat and tell is absolutely a key to being able to defend against current threat actors that are out there. And then this notion of passive defense is just doesn't work, right? So we're talking about having active defense, active search with the right skill set to find the threat actors that are operating in your environment in a near real time fashion.

Like one of the things i want to go back for one minute, please. The one of the things i really want to get into this is like i worked a case one time where, um, i got brought in for instant response and what we found was against cyber. And the, uh, the old school cyber is like, hey, i'm isolated. I have my own little world and i kind of tell everybody, well, hey, you got a problem. Um, but what was happening is they had their case management system separated from their ticketing system. And so all the engineers were using, uh, you know, you know, their ticketing system and then you had the case management. And so they got hit by a ransomware attack. And what was happening is the, the uh analyst, it took him 12 to 15 minutes to basically build a, a take stuff from the case management system and get it into the ticketing system to get the engineer because the engineer says, hey, look, i'm not doing anything

I'm not going to isolate India or whatever without a ticket. All right, because he's looking at his job. Well, what happened is while that was happening, ransomer was going through their network. And when we did the review, we realized that they had seen it but they didn't have an integrated system. And so by the time that they were actually getting the engineer to isolation, right? And to be able to isolate it, they had already been pawned, right?

And so having that integrated system is a resilience. And we, a lot of times we talk about threat intelligence and we we, we think about threat intelligence as reactive and it's not, it should be proactive by getting that into your data analytics platform or in your SIEM or whatever you want to call it. You're allowed to like collate that data and you can get ahead of it. A lot of times. Thread intel has a lot of that information already. They already know what the malicious domains are.

If you think about ransomware, a lot of those are, that's ac two activated exploit. And so being able to go in and actually saying, hey, look, these domains are already bad. Why don't i just block by default, right? And being able to get that thread in there. And also it gives the um the analyst the ability to say, hey, wait a minute. If this is known as a known bad, it allows me to go faster.

All right. Again, there's only two metrics of cyber time to detection, time to mitigation. And then also understanding the the skill set, right? And, and you guys read the news just like i do. There's a huge uh misplacement like where you have like beginning cyber and then you have like the guys at the top of the pyramid and then we have a problem in the middle, all right around training, right? But, but understand the right skill set to the right road to the right outcome, right?

When you start building out your socks, you that's part of it, it's all about people processing technology. All right. Technology is just part of it. It's only as good as the people that know how to configure it and make it work. All right. And so one of that, when i think about the resilience part, i really think, i tell people, like, what are your, what are your skill sets? Because you, the fact is a lot of times people do socks or, or fusion centers and they say, oh, you're in everything, well, everything costs right? There's, there's not a lot of us that, that know the entire path of the package. So understanding that is a resilience.

And so when you, when you think about it, this is the complete resilience framework, you got to address all these different things. And the, the one thing i will encourage everyone is like when you're, when you're thinking about um your resilience framework, there is a partnership between, it's, it go back to the foundational. Like a lot of times i'll say defense in depth. A lot of us old school guys have been around and like we, we started there and we've, we've started using miter and we started using this and gdp all these different different compliance things, you know, zero trust, you name it, it's out there, but it really is. All goes back to defense's depth and treating your network is one organism and getting that data out to outcome, understanding your data type.

So that you can be a resilient system because you need to break down the internal silos. I don't know what's happened but it, it, it, it was, it's, there is a trend that says, hey, look, well, i'll, i can't tell you how many times i'll go in and i'll talk to a company and he'll say, oh, i don't talk to that guy. I'm like, why that guy owns all the data. Like, how do you like why you just tell him to give me the data? Well, that guy owns the data. So you might have a conversation with him because you're not, you're never, you're always going to be behind the curve when something bad happens.

Next slide. So when you think about it like uh so i know this is a busy slide, right? Come on guys, like it is a little busy and i, i would recommend you to uh go in and download it, but this is like a framework and like a lot of times people don't realize and say, hey, you can't do everything all at once. There is a maturity model and this is uh again, this is something ii i put together with some other people of like, how, what do you need to do first and to go to your maturity level with the things that you need to address.

So i, i think they're gonna post this on the website. So i do, i would encourage all of you to download. It's a really good write framework to say, hey, this is what i need to do first because again, we try to do everything all at once and we fail, right? Even though we, we have to do, but they, if you try to do everything all at once, you, it's not gonna work, right? You have to bring the data and you have to start somewhere and you have to be able to define the known from the unknown.

Yeah. And so we really talk about the fact that you cannot solve a problem unless you know about a problem, right? That's a, that's a pretty much a a pretty easy axiom and honestly, data visibility is, is key. Um i i'll share with you a quick story. One of my, one of one of our customers um when the war in ukraine broke out, they came to us and they said we're really worried we have assets, we have plants inside of the ukraine and we are afraid that they may be being under attack right? Under cyberattack. Can we bring all of our data into sunk, all the stuff we, we don't bring into sunk today because they followed the same mantra that i used to follow when i built socks. And that was i wanted to focus on high density high value, low volume data, right?

Because we're, we charge vendors charge for volume and transactions per second and gigabytes per day. And things of that nature. So we all always focused on that high-density, high volume, low volume, sorry high-density, low volume data and left the high volume, low density data on the cutting room floor. Well, this company came to us and said, can we bring all the data into splunk because we're not seeing anything, but we're worried we're really concerned and of course, being splunk the partner, we are, we said, sure, bring it all in, we'll figure it all later on licensing. We don't worry about it, just bring it into our cloud.

And within just 3 to 4 hours, they found four separate attacks, ongoing attacks from russian threat actors. So just to let you know what the lesson for me was really good, hackers don't live in that high, that low volume high-density data. They're not going to make noise, they're not going to try to do password, you know, brute force attacks. They live in that high volume, low density data. And that's so you really do need visibility to all the data at least have the ability to search it when you have a concern to find those highly skilled threat actors.

So we talk about that visibility is key needs to be continuous. We talk about consolidating one platform and even if it can't be consolidated in one platform, access to it, the ability to search it from a single council is very important. And then again, people process technology integrated into an ir platform, um automation of the known so we can automate things that we know about. We can't automate the things that we don't.

I was once asked a couple of years ago, if i thought there would ever be a lights out sock because of all this automation that people are investing in. And my answer was i tell you what, there'll be a lights out sock when the hackers are lights out as long as there's a human on the other end of that keyboard, even with all the a i technology that people are utilizing today, you have to have a human on our side of the keyboard to thwart those attacks.

So yeah, like so we can go to the next slide. And he uh one of the things that we talk about is resilience of design, right? So data first understanding your ecosystem, understanding your tools and but don't think in silos think of it as an ecosystem, all data, right? A little while ago, i did this for a client and he wanted me to just to do the cyber. Well, again, we talked about everything is cyber, everything is data, right? And so i wanted to look at it from an ecosystem way and i wanted to be able to bring it in. And i tend to like at this time, i, i use cis and, and n to be able to tell the story and he, he goes, oh my god, like this is like, i've never had anybody look at this as a an egos systems. He was a ciso.

And so he, he turned this into a poster and he, and he put it at all of his sites and he said, hey, before you want to buy something, bounce your capability off of this, right? As a poster. And he goes and, and he ended up starting saving money because for simple examples is again, we as a cyber guy, i, i, everybody will tell you that there is a, a thing called tech debt, right? I always say a lot of times people go to rs a, they go to, you know, blackhead or whatever and it's like uh you know, it's walmart like they, they go and just buy more and more because they, everybody's looking for the easy button. And a lot of times i'll come back and i'll say you already have that capability, right? You got because you bought in silos, i, i like to use the example of like cisco ice, right?

Cisco, i does n a, right? It does it by default, right? A lot of times people, but the network guys buy it. And again, we all don't share with everybody else. We're not looking at it from an ecosystem. And so next thing you know, cyber gets a call and says, hey, look, i need a n a solution. And so instead of looking internally, we go, look at, we go externally and we buy something new and now you have competing things if you've ever looked on a network and never said, hey, look, i want to see what the bandwidth is on the network. Cyber actually uses about 60 to 70% of the bandwidth on the network, right? And your infrastructure.

And so what i like to do is i don't take cyber, i was like, man, we need to do less tools, not more tools i need to understand what's in my environment and, and do capability mapping. Because the more tools i have, the more services i have, the more i have to defend and there's more money i got to spend. All right. So i want to use a my, my splunk platform basically to bring all that data in and start doing capability mapping and understand those applications. Because i need to, i need to understand the network and i need to like define the network.

And once i defined it, a lot of times we we when we talk about in cyber first in first out, well, take it to the next step. If i can simplify my network, if i can optimize my network, i can do less with my network, right? With more tolling. And a lot of times when you do tolls, like a lot of times people will say, well, i only use 10% of the capability. Well, why don't we increase that? All right. A lot of times you got to look at the capabilities of the tools.

And so when i did this, he was like, oh my god, this is, this is great and he was able to turn some things off. And so he was able to reduce risk and he was able to address threat. And it also saved him time um money on time, energy and money. And then the thing is, is by bringing it all in the funk, he was able to see all that because he was able to say, hey, well, i only have three users over here using this tool and i have 15 of that. They all over here and they're all, it has the same capability. So let me determine which one i need to turn off. All right, because i need to say again, what he was talking about earlier is like, nobody has an unlimited budget, right? So we need to optimize what we have.

All right. Well, i'll tell you a funny. So in my past life, there was a time we actually did really well in a quarter and the board of directors came down and gave us an extra. Well, i should say that the president came into my office and said 10 million is 10 million in capital. I like christmas in july. That is amazing because we have 10 million in capital to spend in addition to the budget that we've already allocated.

So i went to my team and i had six vice presidents working for me and i said, great. We have 10 million. Let's take a lot of the projects that we had for next year. Let's move into this year because we actually have funds. And about a day later, every one of my vice presidents came into my office and said we can't spend any of it. And i was like, excuse me, you guys are always begging for money. And now you're telling me you can't spend it, you can't spend it because our opex was maxed out.

We couldn't take another dollar depreciation. We couldn't take any engineering hours to put against implementing any of these technologies. So proliferation and tool fatigue is something that's real. And so I always encourage all of our, all of my customers really to take a look at what you're using and how you're using it and what value you're getting from it real quick.

Just to touch on AWS, the better together story. If you look at how AWS, I think you all know Splunk and AWS have been very close partners for a very long time. The majority of our workload in software as a service Splunk is a, is a cloud service resides in AWS. So we're very, very tightly in a area with them. It's too small to read each individual box. But the reason why we showed this is on areas like identity and access management, detection and response, network application protection, data protection and GSC reporting. We're complimenting each other very well.

There's a lot of work that the advisory team is doing as well as some of the industry advisors that work with their Splunk peer, sorry, their AWS peers to work together and produce outcomes for our business outcomes for our customers that only Splunk and AWS can provide if you look at SI and, and SOAR which are two of our core capabilities around security. That's not, we don't compete with AWS, we're partners with them, right?

So I just think the mapping is, is a very interesting story. What I like about the like the last slide in this slide is, is like a lot of times when we buy product, we buy a product in silos, right? And, and again, we if you don't get anything else from this, it's like understanding, you got to treat your environment like a living breathing organism. You, you can't, you know, everything is, is connected now and being able to like with the AWS slide that you saw a lot of times it's bought by cloud, it's by infrastructure, right?

A lot of times the cyber guys or infrastructure guys, they like they, they may not even know that they have all those capabilities, right? And a lot of times you get it as a platform, it's just how they it's just how they buy, you get a lot of these tools and again, there is no single tool that does everything. But what you use is use the best of what you have as a defense in depth resilient message, right? It's resilience by design. Use what I have. If I have, if I'm getting this product over here, that's free. Does that does MFA or whatever, why don't want to use it? Right. How do I, I want to be a part of that conversation. I got to monitor it. I've got to be able to address it. Right.

Anyway, I have all these tools because I, I see everything I always say, like, you know, in, in cyber a word, the data gods, we see everything. All right. But we don't share all that knowledge across the playing field. We need to communicate among ourselves. All right. It's not just a cyber problem. A lot of times I'll come to these meetings and I have a like go to a client and one guy will sit there and say, well, that's not my problem. And I turn around, I'm like it. Absolutely. Is your problem. Resilience is an everybody problem. All right. I mean, at the end of the day, you have to defend your net, whether it's cyber going and looking or are you securing it at the data source? It's an everybody problem. All right, you can't just sit there and say, well, my workload is too hard. Right?

Well, wait a minute, like you actually have stuff, you have a responsibility because if you don't do what you have, anybody's ever seen companies get hit by ransomware or any other like de OS is on the rise when companies get hit, it's an everybody problem. Right. Because there's people's jobs on the line. Right. So I always say like, when you start thinking about like AWS, they provide a lot of stuff in their AWS marketplace that you can leverage. But a lot of times people don't know, right? Because we get so caught up in operations. We're all, we're, we're literally, we knew when i mentor people and ii, i do that a lot on the side because i like to, i, i'm in, i love the fact that i'm in a job where this is my hobby, but it's also my passion, right?

I get to help people and, and, and it doesn't cost anybody a dime. And I always say, hey, look, you should spend 90% of your time on operations, but 10% is tomorrow. If you're not addressing 10% tomorrow, eventually you're going to be behind. All right, because you're just, you're just running in circles. And so this is a really good, it's like take a look, take a look at the AWS marketplace, see what some of that and do some capability mapping and so that you can have a resilience system.

So the next, we're gonna share a couple stories around some industry, uh use cases first one is near and dear to my heart because it's about beer and most of us like to go to the bar at the end of the day and maybe have a, a glass or two of beer. Um and so this is, this is about Heineken and you don't think about how hard it is to get that beer to the bar to dispense to be sold to you. Right. But in Heineken's case, it's a seismic amount of technology. If you think about all the OT environments, they have to operate to actually make the beer, then they have to package the beer, then they have to transport the beer and then they have to actually get to the bar and they operate in over 70 different countries. And if any one of their five financial integration platforms go down, it halts the entire process, right?

So for them having end to end visibility is absolutely key. So they're looking for reliability around the clock, they're looking for ensure they have end to end visibility and that they can monitor all the way from the, from the minute they take the grain into the factory to the minute it's served at a bar that the process is managed, monitored and uh and and uh watched over and ensure that it actually works.

So what do you need for beer? Right? You need money, right? So you want to, you want to protect your money, right? So a lot of times we, when we think about this is like, when we think about this i like to use. I spend a lot of time in the FSII. I kind of like their data. I love large data nets. It's, it's, again, this is my hobby and i love it. Understanding all that you have a very interesting hobby. I know. I'm a nerd. Right. But understanding how that works. Right.

So, a lot of times we, we talk about our businesses, right? Every one of us is has an industry. All right. Hey, we have retail, we have financial, we have, we have manufacturing, whatever, it doesn't really matter. The i always tell people like there is a horizontal and then there is a vertical. All right, as you reach the as your maturity model. So the horizontal is stuff that we all have to address, right? Data is data. A router is a router, a switch is a switch, a server is a server, right? That's how we, we put applications on top. But all those are like common use cases across the anywhere you go, right? You're always going to have those things, right? When you start getting into maturity, when you start getting into io and some of those things, that's when you start going into the vertical in the industry, right?

There are in the FSI community, there is a they, they're, they're bound by a lot of regulatory requirements, the FCC came out with a huge amount. And so that's when you start getting into that vertical and understanding that data, transactional data. Like for us, a lot of times we'll, we're trained our cyber guys on source designation application DNS like, you know, important protocol, right? Like that's how we start looking at it because we look at the packet and we start investigating when you start looking at transactional data, it's totally different. I don't know if anyone's ever done that. When you think about a point of sale, it gives you the address and this the address of where you had the transaction and where it's going and inside of it, there's a bunch of different codes, right? Which you have to go to Mastercard or Visa and whatever to pull, right? And we've automated a lot of that. Uh so you don't have to do it. You can just download it off a Splunk app or whatever. But then the thing is, it's totally different.

So this, it took the cyber guys by. So again, we go back to the right skill set to the right outcome, right? When you're looking at the data, if they don't know what they're looking at cyber guys, we're all the same. We're, we're egoist. We're like, we don't like to ask questions. So we're like, oh, well, i'm not going to look at that or I'll put it as a low priority because I'm going to look at something else. All right. And then what happens is something happens and then now your company is in trouble. All right.

So understanding that, that you have the horizontal and then you have the vertical. There's things that we can all do together that is the same across all your verticals are, i mean, i'll aggress all your the horizontal. Then think about the maturity as you go to the vertical next.

So what do you need to buy beer with the money you just protected at? Be a well, our friends at Puma are going to provide us shoes because most bars, no shoes, no service, right? So um Puma is another one of our customers and um they have 45 ecommerce sites with different brands, different types of products that they sell. Um and they, they estimate they had one downtime for a very short amount of time and it cost them over $108,000. So downtime is really, really critical to them. And this is similar across almost every retail business who has a uh a network presence.

So the ability, the ability to identify an issue in a very short amount of time is key and critical to them. So before they were saying some of these issues take hours and hours and hours for them to figure out which component of this large infrastructure system that provides that website. But by utilizing capabilities and instrumenting those capabilities, so they have visibility to every component or part of that. What was required to deliver that website in a timely fashion allows them to troubleshoot. Now, those incidents in 10-15 minutes, eliminating some of that cost that they get and honestly brand reputation because, you know, our, our customers out there for retail, if you go to the website and it doesn't work, they likely aren't going to try it again. They're likely going to move on to a different product and buy something else.

So the impact to brand recognition, adoption and sales is absolutely tremendous. So, you know, we really need to focus on maintaining customer will, commerce site performance has to be addressed. It's got to be speedy, it's got to be fast and really to provide that enhanced customer experience overall.

So what does all this really mean? Right. It's the outcome based approach, right? What am I trying to accomplish? Right? In, in cyber again, we we see everything right? But uh to get everything I need to have partnerships with the rest of the business units, right? I need to have those con con conversations, right? I'm not working in isolation. If I'm working in isolation, I'm behind the power curve, right? I need to be able to get everything I always say, people don't communicate. So I use tools to facilitate communication, right? Getting everybody into a platform, right? And and but I also need to define everything and I need to get value everything nobody has an endless budget. Right. But the, the attacks are coming in totally different nowadays. Right.

Think about supply supply chain insider threat. You know, like a lot of times you like the, we all know snowden in here. Right. I like, look at what he did, right. Look at uh private manning and some of the things those are in the dod space, but they have the same challenges. Espionage is a real thing. All right. A a and being able to understand it. But a lot of times we, we're so focused on the known because we haven't been flexible enough. We ha if when you think about resilience and resilience by design, think about like being flexible, like not just with your network but being able to talk among yourselves and understand the data and then simplify some and optimize some of your tools.

How do we do this? Like when you think about this, it's like foundational visibility priorities. Like you guys see this slide. I'm not going to go into it because you guys, uh there's nobody in here that i'm not speaking the right way, right? You guys all understand we all have the same challenges. Am i right? Raise your hands? Anybody? Are you even paying attention? Right? I noticed that nobody laughs at our jokes, but i'm a nerd by heart. So i'm not funny. So uh just go with me. But uh but understanding that if whatever you do, when you walk away from here. It's not about sunk, it's not about aws. It's not, it's by resilience, by design. Like, think about a plan and think about an outcome. There's very few companies that have ever actually gone there. Right. And so i'll turn it over to.

The other thing i'll say is just remember, this is not a sprint, it's a marathon. Every company that i talk to is somewhere on this journey. And i guess what we're trying to tell you is that, you know, operating, i love coming to rein because it's not just a security event or it's not just a observ event. It really talks about the, the ability to transform your business through cloud services and cloud capabilities, right? And i love that message that this is not about just working in security as a silo anymore. The cso has got to talk to the ct cto today if they're ever going to achieve digital resilience. And so if you look at this path here, you'll see that these paths line up. There's, there's steps to resilience for both observ. Uh it ops that type of environment and the security team, even though i'm a security guy by, for, for most of my career, if we don't reach across the aisle, we're never going to actually achieve digital resilience.

Um and so for this again, not a sprint, it's a marathon. Um and we really need, you know, a lot of our customers are moving more and more workloads to the cloud. And as you do this, what we, what we talk about is focusing on the foundational, making sure it's defined and then moving to the optimized optimized state.

Um so well, and we go back into that message, it was like the horizontal and the vertical, right? There's a maturity state, right? I mean, we all, we all have different people that address different things. Every one of us have our own or chart and sometimes we have big teams and we have small teams, but we need to understand like how i always tell people when you're, when you have a small team, it's more automation. When you have a big team, it's more niched. All right, it just works that way, right? Because they like a lot of times the banks have big budgets and so they can hire a lot of different people that are very good at what they do when you're a smaller company, like, especially in manufacturing or whatever, you have smaller teams. So you have to look at your data and define your data to actually be more in automation, right? Because you just don't have enough time to look at everything. All right. And you, and the thing is is that a lot of times the, what i do, i actually do like a lot of the smaller companies because they're, they're, they're more optimized, right? A dollar is a dollar, right? It's not like, i don't have $10 for every dollar. I need to be more optimized. So i need to do more with less. Right. And i found them that a lot of times that they're more mature, but they, when they become more mature is because they follow this, they, they followed the road map, right. They need to understand by resilience, by design right now.

I, i get so frustrated sometimes they're like, well define resilience. Like i don't, i don't know. That's, that's the suso problem. I was like, no, it's an everybody problem, right? You talk to cts and most of the time they'll tell you resilience is my problem, right? They have to recover suso is the outcome. They're the ones that are like, they're the ones that they're the, the other guys are seeing the problem and they're feeding the data back. All right. But if you build and at the, at the date of ingestion, at the beginning as you build out your products and you build it by security by design, right? But by incorporating security as a outcome, which is the outcome based approach. All right.

Now, how many times have we all been in there where somebody throws something on our network? And we didn't even know. Right. And then all of a sudden there's, you're, you're like, oh my god. And, and they're like, well, why didn't you see that? Well, nobody told me, right. I, i have to go, i use, i use consolidation area. I use data to monitor my network if you put some on my network. And i don't know. Well, how am i supposed to see it? I worked a, uh, a case, uh, a while ago, i have a little bit of time. So, uh around the elections a long time ago and, um, i was on a call with like the fbi and, uh, like the mayor and the governor and all this other stuff. Uh this is when i worked for the government and uh they were talking about their uh uh their, they're yelling at the ms sp and the ms ms sp was sitting there going and i, i went and i looked, and i said, well, wait a minute, stop for a minute. And they're like what i said, you turned on all these servers, you never told your mss p that you had him on, right? So how are they supposed to defend you? You never told the, it guys never actually told you turn on all these electric servers that had all this data in it and nobody was monitoring it. So, is it really the ms svs fault? Is it really like you gotta, we all have to work together right? To be a resilient system, you have to have a good solid change management system everybody needs.

So it's a, a better together story. One of the reasons why i like it aws and and funk is, is because where we build that out as an outcome, it's already embedded, right? We already know how to talk to each other. So we bring all that together. And so if again, if you uh biggest takeaway, right, when you think about this, as you go on your cloud journey, uh as you go on your resilient journey, or if you're just security by design journey, be a better together story. Don't, don't think in isolation because i guarantee you and i will, i will tell you i was a, you know, i, i've done, i've done red team purple, blue. It doesn't really matter. I will tell you that i've been able to use those same techniques. The fact that people don't talk to each other against them. Right. That's, that's really what a hacker does. He'll know your network. A lot of times people talk about ransomware and like, oh my god, ransomware. Well, a lot of people don't realize is that ransomware is c two activated and a lot of times they'll, they'll know your network. They have to know 65 to 75% of your network or your crown jewels before they ever activate. Otherwise the risk is too high for them because they're taking a risk by activating the ransomware, right? They're, they're on a list as soon as they do that and you guys all seen in the news, right? What's happened? And so they're gonna, if they don't feel like they've got everything and if you're not going to pay out, they're not going to do it. But there are s simple controls that you can do. You can use gpo s you can do segmentation. I'm a big zero trust guy. Again, i came from the government like we do that by default, right?

Um so i would tell you like the biggest takeaway from this thing is get everything into a single platform to talk among yourselves. Understand your data, optimize your network and just break down the sidles internally.

Yeah, so just bring it home. Thank you very much for attending the session today. We do have a large booth with demos and ongoing presentations. If you want to get this obviously wasn't a product talk. That was what, what, what the design of this was. We were hoping to share with you some messaging about what we see what good looks like when it comes to security and security programs and achieving resiliency across the board. But if you have any interest in seeing demos of product or seeing how we actually achieve this in real time real life, please visit us at the tech expo. Uh and we look forward to seeing you. If you have any questions we'll be around uh for a little bit. Yeah, i went