Virtualization Technology News and Information
VMblog's Expert Interviews: Insight Engines Talks Cyber Security Investigator for Splunk, the Future of Voice and More


Last year at Splunk .Conf2016, Insight Engines was part of the keynote, showing a technical preview of their flagship product, Cyber Security Investigator for Splunk.  Since then, they have secured a $15.8 million Series A round from August Capital, Splunk and others.  At this week's Splunk .Conf2017, they are announcing the GA of their Cyber Security Investigator for Splunk.  I spoke with Grant Wernick, CEO, about the GA, the future of voice, and where the company is headed next.

VMblog:  How does the Cyber Security Investigator for Splunk work?

Grant Wernick:  Cyber Security Investigator (CSI) for Splunk interprets questions in natural English (EX: "show me who logged in from Amsterdam yesterday vs. last month"), pulls apart the query for meaning, generates highly optimized Splunk query language, and visualizes the results.

We think it's an important technology because organizations everywhere - particularly in government, finance, and healthcare - need to keep their data secure, but have difficulty hiring (and keeping) data analysts and cybersecurity experts. By using CSI for Splunk, anyone, no matter how technical they are, can ask a question of Splunk data and get answers back in seconds. (For example, one early customer empowered their blue collar security guards to use it and now they are a viable part of the cyber security team.) You can't do that anywhere else unless you're a data scientist - and even then it's not as quick; you'd have to code the query from scratch taking hours, days, and sometimes weeks. So we're democratizing access to machine data.

For advanced users and even data scientists, CSI removes a lot of busy work. Experts spend a lot of time writing simple queries over and over again - CSI lets them see and edit the complex query that is generated, so they can use it as a jumping off point instead of starting from scratch, making them something like 10x faster.

Given the efficiencies this creates for the organization it eases that hiring burden, the training costs, and makes security teams much more effective.

VMblog:  How is this different from what Splunk and others are currently offering?

Wernick:  The central innovation we've created natural language technology that is data aware. Our technology examines language to understand meaning, intent and context. Splunk and data companies offer centralized data stores where technical people can correlate data from any source they want via complex query languages. We make it so anyone can query the data and extract knowledge. 

VMblog:  You gave a demo of CSI at last year's Splunk .Conf.  What's new in the GA of the product?

Wernick:  The most immediate difference for users will be the homepage they see when they log into CSI. We've turned it into a personal workbench. Since we all wear different hats why should we all be looking at the same dashboards? This workbench enables people to pick queries they want to regularly monitor, which usually look like a live graph of some sort, and stick them onto their page Pinterest-style. It's the kind of UX that people have grown to expect from consumer products, but don't get in the enterprise.

We've also done a deeper integration with Palo Alto Networks, which will have a huge impact on how useful CSI analysis is to them. They'll be able ask questions like, "Application flows inbound vs outbound today vs yesterday by location" and CSI will generate the results for them instantaneously.

We've also added some new features to help users discover threats. The first is Autopilot - which will automatically run queries for you that you likely never thought of. We see security teams using this as a vital part of their SOC to become more dynamic and expand the surface they can protect- "Did Autopilot ask something we didn't think of? Did it catch anything?" The other new feature is Pivot Queries. This is more of a personalized, everyday helper - "you asked X, what about Y?" - which acts as a recommendation engine for each person using CSI.

With all of these features, our goal is to augment a security team's intelligence. Humans think about security more strategically than computers can. They are great at quickly looking at something from multiple prospective and determining if something is off. CSI helps them act on those instincts faster, and gives them new angles to explore.

VMblog:  You're also announcing a Beta integration with Alexa.  Why Beta?  And how do you see it being used?

Wernick:  Voice as an interface is just beginning to hit the enterprise, and we see a future where an Alexa (or other voice devices) becomes a key component of a security War Room.

With this integration, a CISO could ask Alexa questions like, "Alexa, ask CSI Traffic today from China vs the last 30 days." Then CSI parses the voice to text input, writes the complex database queries necessary to extract the insights from their machine logs, and delivers meaningful visualizations in seconds. The whole security team can look at the data analysis on the screen in front of them and use it to form strategy. This is night and day to what happens today, where when a CISO has a pressing question, they task their security analysts with a research project that could take hours, days, or weeks.

Unfortunately, because it's still a relatively new technology, Alexa (and voice in general) does still have some limitations. It makes errors in translating phonemes into words & sentences, and gets tripped up by domain-specific words, which affects the usability of our integration. For this reason, we are keeping it in beta.

VMblog:  That War Room scenario could apply to a lot of different business forums.  Do you see Insight Engines expanding beyond Splunk?

Wernick:  We are pretty focused on Splunk in the short term. The company has a 32% market share in IT Operations Analytics (IDC), and we've only just begun to empower that user base. But you're right - CSI would make a powerful addition to other data stores like Salesforce or Hadoop, and we will certainly explore those use cases as the Insight Engines grows.


Published Tuesday, September 26, 2017 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2017>