All Apps and Add-ons

What is the advantage of MLTK over tools like Darktrace, Fortianalyzer, Firepower when these are already centralized within Splunk enteprise?

rosho
Communicator

Hi

Tools like Darktrace, Fortianalyzer, Cisco's Firepower, etc; detect anomalies, threats, etc in a network.
If we send all that traffic to Splunk Enterprise, we will be able to centralize all that information and see dashboards.

So, what would be the advantage of MLTK over those tools? I mean, anyway we already have all the traffic centralized in Splunk. And I am sure those tools already use ML to detect threats. So, why would it be a good idea to use "again" AI algorithms with MLTK?

Thank you

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Just a quick note - with Splunk you aren't limited to just only one or even seven subsets of data, but could conceivably operate across ALL the data - Everything from badging in and out of rooms, to picking summaries off other systems (like grabbing alerts/warnings from Varonis DatAdvantage, Solar Winds, and 17 bazillion other products), your own home grown logs, your HVAC equipment, phone calls - it can ALL go in there and you can correlate across every piece of it.

Indeed, we got good use out of using Splunk to grab all this, plus firewall logs, plus Cisco Firepower, Cisco AMP out of the cloud, plus ... plus ... Also keep in mind Firepower needs compatible machinery. If you have a Juniper or whatever over in that other office, well, firepower doesn't really help you there much. Think acquisitions, too. 🙂

I'm not sure how ML would play into this, though. ML is a certain thing, which is great and wonderful, but folks often pull the ML trigger without understanding all they can accomplish by just a simple correlation of all the data. ML isn't magic (though I admit it seems like it some times).

IMO (and in my experience) if you aren't doing all the correlations that make sense, then ML on top of your currently-incomplete foundation isn't a huge help.

A more specific example: correlating that firewalls are blocking some fairly innocuous but still blocked sites from a user, a larger than recent bunch of file accesses by them, larger than normal outbound mail, USB disks/drives being plugged in, and a recent pattern of showing up late and leaving early, of trying to access the HR rooms they don't have access too via their badges ...

That's something you don't need ML for, and the firewall won't tell you. But I can tell you that person's not long for employment there - they are already in the process of leaving and just haven't taken the Glengarry Glen Ross leads yets (movie reference). The only thing the firewall MIGHT be able to say - if they're not real smart, that is - is that they've tried to hit a few extra sites like dropbox or something. (Actually, I don't give them enough credit, Firepower+AMP can do even more and is some amazing stuff. But it's still pretty limited.)

Note though I'm NOT saying ML isn't useful even in the above case. Just that it's not usually necessary.

So I'd recast this question.

If you want to know why Splunk's ML vs. someone else's ML, well, that's one question, and its answer comes down a lot to that data and having a bigger picture view of things.

Perhaps just as valid is the question of why would you want to use a bunch of disparate other products to piecemeal solutions together when Splunk could do on its own? That answer is actually a good one too - the firewall (or whatever) often does a really good job of what it does. But the firewall's ML doesn't talk to the HR DB, doesn't see badge-ins and badge-outs, doesn't see the extra phone calls the person is making to insert competitor here. The firewall also isn't sure what time they showed up for work, only what time they started waking up their PC. But put all that stuff together and better answers come out.

I think both ways to view this are valid, both have use cases that can enhance the security and reliability of your network and the people in it, so why would you NOT want to use them both?

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Just a quick note - with Splunk you aren't limited to just only one or even seven subsets of data, but could conceivably operate across ALL the data - Everything from badging in and out of rooms, to picking summaries off other systems (like grabbing alerts/warnings from Varonis DatAdvantage, Solar Winds, and 17 bazillion other products), your own home grown logs, your HVAC equipment, phone calls - it can ALL go in there and you can correlate across every piece of it.

Indeed, we got good use out of using Splunk to grab all this, plus firewall logs, plus Cisco Firepower, Cisco AMP out of the cloud, plus ... plus ... Also keep in mind Firepower needs compatible machinery. If you have a Juniper or whatever over in that other office, well, firepower doesn't really help you there much. Think acquisitions, too. 🙂

I'm not sure how ML would play into this, though. ML is a certain thing, which is great and wonderful, but folks often pull the ML trigger without understanding all they can accomplish by just a simple correlation of all the data. ML isn't magic (though I admit it seems like it some times).

IMO (and in my experience) if you aren't doing all the correlations that make sense, then ML on top of your currently-incomplete foundation isn't a huge help.

A more specific example: correlating that firewalls are blocking some fairly innocuous but still blocked sites from a user, a larger than recent bunch of file accesses by them, larger than normal outbound mail, USB disks/drives being plugged in, and a recent pattern of showing up late and leaving early, of trying to access the HR rooms they don't have access too via their badges ...

That's something you don't need ML for, and the firewall won't tell you. But I can tell you that person's not long for employment there - they are already in the process of leaving and just haven't taken the Glengarry Glen Ross leads yets (movie reference). The only thing the firewall MIGHT be able to say - if they're not real smart, that is - is that they've tried to hit a few extra sites like dropbox or something. (Actually, I don't give them enough credit, Firepower+AMP can do even more and is some amazing stuff. But it's still pretty limited.)

Note though I'm NOT saying ML isn't useful even in the above case. Just that it's not usually necessary.

So I'd recast this question.

If you want to know why Splunk's ML vs. someone else's ML, well, that's one question, and its answer comes down a lot to that data and having a bigger picture view of things.

Perhaps just as valid is the question of why would you want to use a bunch of disparate other products to piecemeal solutions together when Splunk could do on its own? That answer is actually a good one too - the firewall (or whatever) often does a really good job of what it does. But the firewall's ML doesn't talk to the HR DB, doesn't see badge-ins and badge-outs, doesn't see the extra phone calls the person is making to insert competitor here. The firewall also isn't sure what time they showed up for work, only what time they started waking up their PC. But put all that stuff together and better answers come out.

I think both ways to view this are valid, both have use cases that can enhance the security and reliability of your network and the people in it, so why would you NOT want to use them both?

Richfez
SplunkTrust
SplunkTrust

Also note that changing usage patterns can be found with a simple stats command. No "Machine Learning" needed. ML just automates away portions of that and makes upkeep more complex. I mean "easier." 🙂

0 Karma

rosho
Communicator

So, to sum up, the use of MLTK will be to automate things. Like a second layer of security.
Do you know if Fortianalyzer or Firepower can centralize data as Splunk?

0 Karma

Richfez
SplunkTrust
SplunkTrust

I am positive that Firepower cannot. It can do a lot, and one of the really nice things about it is that it "already knows how to do some really good things", which Splunk would have to be "taught".

I'm nearly 100% certain Fortianalyzer (that's a cumbersome name to type) cannot do this either, otherwise I would have at least heard of it as a competitor to Splunk. 🙂 I'm sure it's in the same boat as with Firepower - capable in it's own right, but not a generic tool you can use for anything.

Do not get me wrong - these (well, Firepower, not sure about the other) are awesome tools inside their space.

Also, MLTK has nothing to do with automation. Automation can be done by scripts, Splunk Enterprise Security's Adaptive Responses, or Phantom, or other tools of course. Automation is "doing something" in response to some trigger.

For instance, "bad things happening on that network port" is the trigger, "turn off network port at the switch and alert a network admin" is the response. That can be manual (someone does it) or it can be automated (Phantom, or Adaptive Response, or a script).

ML (and the MLTK) has nothing to do with the latter part of that, and is JUST another mechanism by which you can figure out "something bad is happening" so that you can then have some response (automated or not).

ML is not the ONLY way to find this out, either. Regular Splunk searches that just count events (too many visits to hax0r sites, disable their login). Better Splunk searches that baseline "usual" and notice when things deviate (usually they visit about 10 hax0r sites per week, alert when they hit 2 standard deviations above that). Simple triggers (if they visit hax0r site at all, send them a warning email).

Now, ML can help with finding interesting things, but it's not part of the way you respond to it. It's just something it is triggering.

This is actually very important - be very careful you understand the distinction. If you do not, any product you end up with will disappoint you. And you'll likely be sold the wrong thing, by the wrong people, and not have it do what you want it to do. And forever struggle with it. And complain when it doesn't work as magically as was promised.

0 Karma

rosho
Communicator

Thank you for the answer.

In this link it is possible to read some reviews: https://www.itcentralstation.com/products/comparisons/fortinet-fortianalyzer_vs_splunk

By centralizing like Splunk I meant that Fortianalyser, etc; seem to be able to ingest traffic from different vendors. And then it seems to be possible to correlate events.

Anyway, I am assuming that those technologies use signatures, rules and some statistics to detect threats. Not sure if they use AI.

So, what would be the added value of MLTK? I think it can optimize the searches (machine learning on-the-fly). By second layer of security, I meant Fortianalyzer, etc; are already doing their work (layer 1). MLTK is just a plus because as you said, with Splunk Enterprise we already can do a lot of things.

Finally, Fortinet and Firepower (Cisco) are partners of Splunk.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...