Detect Ransomware in Your Data with the Machine Learning Cloud Service

While working with customers over the years, I've noticed a pattern with questions they have around operationalizing machine learning: “How can I use Machine Learning (ML) for threat detection with my data?”, “What are the best practices around model re-training and updates?”, and “Am I going to need to hire a data scientist to support this workflow in my security operations center (SOC)?”

Well, we are excited to announce that the SplunkWorks team launched a new community-supported add-on to help answer these questions – and more. The Machine Learning Cloud Service Add-on for Enterprise Security (ES)  extends the core capabilities of Splunk ES with new machine learning functionality.

These are challenging obstacles for any organization with a limited data science background and the Add-on addresses these challenges directly through automation and innovations from Splunk’s field machine learning team. Over the past 3 years, the popularity of the DGA analysis app has been a valuable educational tool for learning how to develop ML use cases in the Splunk Platform. The challenge faced by many customers who adopt this app is having enough expertise and experience with DGA detection to be able to customize the app into an operational workflow that meets the following requirements:

1. Automatic retraining of newly classified ransomware domains that are provided by human input
2. Customization and standardization of the data fed to the ML model 
3. Pre-defined classification models that can be extended using incremental ML techniques to minimize training time
   
   

These key requirements are provided out of the box by the Add-On to accelerate your journey to leveraging ML as part of your SOC workflows. The app ships with pre-trained machine learning models that can detect DGA generated domains found in your DNS data. These machine learning models are updated automatically through two different approaches:

1. Base models are pulled from a cloud service every month with the latest threat intelligence curated by Splunk’s Field ML team.
2. Local models learn from input provided by analysts as part of investigating domains found in a customer’s DNS data model.
    

This approach allows a customer to have access to continuously improving machine learning models based on the latest threat intelligence and personalize the models to suit the needs of their particular industry. An added benefit to the way we’ve configured the algorithm used for detecting DGA domains is the ability to tune out low confidence predictions and adjust the risk score associated with these notable events. Risk-based alerting and reporting automatically implemented based on the model’s confidence score and can be used by customers to provide a wider context of an entity’s behavior.

Enhancing Your ES and UBA Deployment with Supervised ML

The capabilities in this add-on can be leveraged alongside your current ES and User Behavior Analytics (UBA) deployment. The add-on is designed to complement both solutions, allowing your security operations team to detect ransomware or botnet behaviors using supervised machine learning.

The Add-on is free for existing Splunk ES customers on Splunk Enterprise 8.0 and Enterprise Security 6.0 and can be downloaded from Splunkbase. Customers without Splunk ES should consider adding this premium app to their Splunk deployment for the full functionality of the Add-on.

If you want to get started with the community-supported Add-on, customers can download it from Splunkbase today.

Happy Splunking!

----------------------------------------------------
Thanks!
Anthony Tellez