Every article I read reports Splunk as "Cyber security software" and how this plays into Ciscos AI strategy. I've heard of other things like Humio (acq. by CrowdStrike), DataDog and other similar log-grep on steroids tools referred to in the same manner. Why? I always considered log management and observability as operations related things and not really related to "Cyber security".
Splunk is a platform, not a tool. At it’s core it can collect, monitor and respond. But you can expand its capabilities by writing an apps on top of Splunk. And you can solve number of use case by that. - Cyber security is mostly analyzing logs and responding to it. E.g let’s say you have someone from Russia trying to access the systems with multiple attempts. Now if you are monitoring your systems using Splunk, it will show up as notable event if you are using ES (Enterprise security app) as high risk and analyst/Splunk can respond to it by running a playbook in SOAR like grab the ip from the event, block it in firewall, send slack to security team to notify or ask for permission to execute rest of the playbook, etc. - Observability Similar to what Datadog does - IOT Hardware device with sensors like temp, pressure, etc that can be attached to industrial machines to monitor their health and sending data to Splunk. You can checkout the Splunk AR videos in which technicians can carry their iPads and point to the machine using cameras and can see the health of the systems. - Personal use case I monitor stocks and my personal net worth. And my bike rides. Heck you can monitor weather or air quality and set up alert to create Jira ticket if the air quality is bad 😂 if you’d like. Endless possibilities. ML/AI Now you can go one step further since you have all this data, you can predict along with monitor. This is where AI/ML comes in. You can build models using the data in splunk. E.g MLTK app. Maybe you can train LLM on splunk queries, so you can query splunk using natural language like chatgpt. E.g Hey Splunk tell me why my service X is running slow?
Excellent summary. 👍
What is the AI cyber security space looking like right now? There's a couple of players, from Google to Microsoft to CrowdStrike and SentinelOne, are there any obvious standouts?
It’s a SIEM tool. Security writes rules for bad behavior in log lines(e.g., trying to ‘su root’, adding a new Linux user, whatever) and it can alert security teams. https://research.splunk.com/endpoint/51fbcaf2-6259-11ec-b0f3-acde48001122/