San Francisco-based Splunk has made a number of announcements around its online security offerings in recent days, including an updated User Behavior Analytics application and Enterprise Security product, a new community initiative for threat detection and, to top it all off, a marquee client that is using its platform to offer threat detection to enterprises and government agencies.

But if you are looking for a common theme or approach in how Splunk is tackling the huge problem of online threat and cyber intrusions don’t look too hard. 

Splunk is using a little bit of this, a little bit of that to build a platform that can support any security approach.

Integrated Machine Learning

For example, its User Behavior Analytics product was updated with the addition of about 10 new machine learning algorithms, bringing the total to 30, according to Robert Ma, Splunk's senior director of security markets. That is up from the previous level of "20ish" and the combined mix is a significant enhancement, he told CMSWire.

In addition, the application, User Behavior Analytics 2.2, when integrated with Splunk’s Enterprise Security product, now allows users to define the threats that they want to include in the threat detection framework. Previously, anomalies would be presented to users in terms predefined by Splunk.

This upgrade gives users more control over threat definition, to state the obvious.

Less obviously, to some, this duel approach is at odds with conventional thinking about security. Or to be more precise, it is at odds with the either/or approach that most vendors take.

Ma explained, "There are many vendors that follow a rules-based approach in describing user behavior for analytics applications."

That is, the system will apply XYZ rule — either set by the software application or defined by the user — based on an ABC anomaly. Increasingly, some companies have been moving to machine learning, in which the system automatically adjusts to changing usage patterns that surface different anomalies.

"With our new release we are giving the user the best of both worlds," Ma said.

Fair enough, but why did Splunk wait until now to marry both approaches?

Well, that is how long it took Splunk to integrate last July's acquisition of Caspida to its larger security portfolio. Caspida was a best of breed behavioral analytics provider that uses machine learning, semantic classifications, kill chain detection, graph analysis and threat scoring. Splunk has integrated it and enhanced it with its own set of machine learning algorithms.

A Data Platform Expert

Splunk's original security creds, so to speak, were more oriented to its role as a data platform. Users can bring in any data source for correlation to whatever index the customer wants to follow and make that analysis available throughout an organization.

It is akin, in a vague way, to the more traditional approach of using a data base to monitor and adjust to online threats – it is Splunk's ability to incorporate any data into the platform that is one of the key differentiators.

Splunk isn’t neglecting this history: it has also released Enterprise Security 4.1, which integrates Splunk UBA and marries those insights to the enterprise security product’s correlation capabilities.

"Customers now leverage the power of data science with event-based correlation and ad-hoc searching to gain insight across the entire enterprise and improve security running Splunk UBA or Splunk ES in a standalone or integrated manner," says Haiyan Song, senior vice president of security markets at Splunk.

Threat Community

Splunk is also contributing to yet another important component to online security – the exchange of threat information among companies.  For years companies have been paying lip service to this idea of cooperating around threats, but as cybercrime continues to stay three steps ahead of legitimate commerce, there are ample signs they are buckling down and actually sharing sensitive but telling data.

Verizon Enterprise Solutions is using Splunk as part of its threat detection service offering for enterprises and government agencies. It is integrating Splunk’s analytics capabilities with the massive amount of threat context data it gathers every day. Indeed, Verizon makes the somewhat depressing (in that it reflects the current state of cyber security) claim that it processes more than one million security events daily giving it "exceptional insight" into how cybercriminals attack.

Splunk's New Adaptive Response Initiative

More directly along these lines, Splunk has also just started a collaborative program called the Adaptive Response Initiative with the goal of connecting with security vendors to improve cyber defense strategies and security operations. Carbon Black, CyberArk, Fortinet, Palo Alto Networks, Phantom, Splunk, Tanium, ThreatConnect and Ziften are the founding participants.

The initiative is a welcome addition to the online security community – and a necessary one as well, says Jon Oltsik, senior principal analyst at Enterprise Strategy Group.

The wide variety of participants means that intelligence is shared across security domains such as endpoints and networks, he said.

"Best-of-breed tools and products have done a good job so far and are still essential, but they are not designed to work well together out of the box." Oltsik likened the initiative to a connected nerve system for these discrete technologies.

Splunk's role in this — because, remember, at its core it is a data platform not a security vendor — is to connect these strategies and make them work as a whole.

Title image "schizcover2" (CC BY-SA 2.0) by crimfants