Counterflow AI, a leading threat hunting solutions firm for security operations centers (SOCs) and Deciso, a global security appliance provider and sponsor of the Opensense security platform project, announced the launch of the OPNids Project. The project is an open source initiative for promoting a data science approach to incident response and threat hunting through the development and deployment of sophisticated machine learning models.
The OPNids Project provides the open source community and SOC analysts around the world the ability to create a flexible security stack built on open source security architecture. This marks the first time that analysts can integrate a machine learning engine (MLE) with the Suricata intrusion detection engine for network inspection of complex threats. Users can immediately download and experiment with the OPNids DragonFly Machine Learning Engine (MLE). The OPNids code is hosted on GitHub, allowing for iterative contributions and improvement by the open source community.
An Intuitive Data Science Driven Approach
The MLE can be installed at the network sensor level allowing data to be extracted directly from the network, reducing the data pipeline complexity and giving analysts an accelerated pathway to deploy anomaly detection algorithms, threat intelligence lookups, and machine learning predictions.
The result is significant improvement in the incident response and threat hunting processes, as SOC analysts can now reduce false positive alerts and time to detection. The Machine Learning Engine automates alert triage using ML-based analyzers that provide context to validate and prioritize alerts as well as highlight anomalies and potential ‘indicators of compromise’.
“The fusion of cyber security and data science is long overdue. Analysts are overworked, burnt out and bombarded with the sheer number of alerts overwhelming the SOC. Machine learning must be embraced to alleviate this workload and CounterFlow AI is taking the right step forward to bridge the gap of ML for cybersecurity,” said Brennan Lodge, Data Scientist Vice President, Goldman Sachs. “By creating transparency with its open source code the future of defending attacks and making the internet safer is looking brighter for us all with Counterflow AI.”
As an open source security architecture, OPNids is helping to build community and industry trust in machine learning though ‘explainable AI’. The ML-based analyzers can be created and applied to all levels of the data science hierarchy including counts, statistics and machine learning models. The OPNids Application Programming Interfaces (APIs) can be used to visualize the detail of the ML analyzers and provide deeper context to further educate analysts and gain confidence in the indicators.
“As a long-standing member of and contributor to the Suricata community, I recognize the time is now to enhance the scope and reach of Suricata intrusion detection. A data science-driven approach is what the SOC analyst needs to address today’s challenges of being overwhelmed with alerts and having ineffective tools to hunt for unknown zero-day threats,” said Randy Caldejon, CEO and co-founder of Counterflow AI. “Introducing OPNids and the Dragonfly Machine Learning Engine through the open source channel will help encourage trust and adoption of machine learning techniques.”
Introducing OPNids Pro
In addition to the open source community supported download via GitHub, Counterflow AI is unveiling OPNids Pro, a hardware-packaged version with additional technical support. OPNids Pro includes OPNids with the Machine Learning Engine (MLE) application pre-loaded on a 1GB sensor with 1TB of packet cache storage. This version also offers easy integration with a SOC’s existing SIEM solutions including Graylog and Splunk, with additional integrations in the pipeline.
Armed with more analytics and threat insights through OPNids Pro, a SOC analyst can focus their efforts on the most high-risk threats. and using the offering’s packet cache, can drill down on the alert related PCAP data for robust incident response investigations. The Pro offering provides a holistic and enriched environment for a SOC team to perform incident management alert triage and proactive threat hunting.