Over the last several years, Google search results have morphed from millions of URLs being displayed to a split screen of URL results on the left side of the page and a summarized set of information about the search term on the right side.
If you are looking for a person, place, movie, etc., Google uses advanced analytics and data mining to predict the information you are looking for and present it in an easily consumed and understood format. Informally, this is known as "things, not strings," and the goal is to use the power of machine learning to reduce the time and effort required to deliver the information you need. Save time, increase productivity.
For example, here are the search results for Alan Turing:
Chances are, anyone searching for Alan Turing will not need to dive into the links on the left side of the page because the information he or she was looking for is already anticipated and delivered by Google on the right. For anyone who has endlessly clicked through links to find a specific piece of information in context, this innovation is a major time saver.
Splunk arguably popularized the concept of easy search access to raw IT data. Debugging a server problem looks a lot like the original Google search: enter an IP address or hostname and all the relevant logs come back. This means lots of strings and lots of follow-on work required to make sense of it all.
For a security analyst, the task of validating, investigating and responding to a high priority alert typically requires looking across many different data sources to assemble a complete picture of the attack: device status, IP address history and authentication, among others. Even if the data is located on a log platform like Splunk, the number of different searches and associated summarization tasks to convert these items into useful information can take hours.
Because Aruba IntroSpect aggregates and analyzes the complete range of security-relevant IT data sources (network, logs, alerts, endpoint, etc.) on a carefully tuned big data platform, we can utilize an extensive set of analytics techniques to watch the data as it comes in, tag it for potential downstream interest and make it instantly available in context for either automated data mining or ad hoc search.
As a result, IntroSpect delivers highly relevant, security-specific information akin to the Google's information summary – something we call Entity360. Just as Google anticipates what the searcher is looking for, IntroSpect builds an on-demand security dossier for every user, system, IP address and entity, delivering the forensic and risk data a security analyst needs, in one screen, to rapidly make decisions on the severity of the attack and the remediation process. IntroSpect mines the raw data to produce actionable information.
Visually, this is the difference between the Splunk monochromatic "strings" and IntroSpect's multi-dimensional, information-rich Entity360 integrated decision support.
To complete the comparison, we've seamlessly integrated Entity360 with Splunk and other log aggregation and SIEM platforms so that no matter where the user starts, anything they need is just a click away.
In the context of user and entity behavior analytics (UEBA), IntroSpect uses machine learning and advanced analytics not only to detect attacks but also to dramatically reduce the time and effort required to investigate and respond. It's like adding more security analysts without hiring new employees! Inspired by Google, delivered by IntroSpect, Entity360 is the force multiplier that enterprise security teams need to stay ahead of advanced attacks.
Learn more about IntroSpect and UEBA.
Larry Lunetta is vice president of security product marketing at Aruba, a Hewlett Packard Enterprise company.
