Machine learning for logs, cut through the hype.


Splunk recently announced new machine learning capabilities in its Splunk Cloud and Splunk Enterprise 6.5 release. Does everyone have machine learning capabilities now? What exactly is machine learning? See below for key considerations for this technology approach and how indeni’s machine learning differs from Splunk.

3 things IT needs to know about machine learning

  • Machine learning algorithms have been around for decades. Most of them, especially those that are mathematically based, are not new. For example Arthur Samuel coined the term “machine learning” in 1959!
  • Machine learning works best with large sets of data. You need a substantial amount of information to determine trends, correlations, etc. Take the example of the NVIDIA self-driving car that was shown at CES this year. Only after 3000 miles of driving on highways, back roads and suburban roads was the car able to stop running over traffic cones and avoid parked cars.
  • If not constrained, Machine learning will have a very high false positive rate. To continue the analogy from above, say you are monitoring multiple types of automobiles. Comparing the device data of a semi-truck to a Tesla would be interesting, but not actionable. Say one of your rules was to alert if the engine noise exceeded 100 decibels, as you believe this level of noise indicates there is an issue with the engine. A semi-truck would generate an alert every time it turned on, whereas a Tesla would hardly say a peep. Giving your machine learning constraints (eg. compare Tesla data only with other Tesla’s) yields far more accurate results.

Moral of the story, if a vendor pitches you on “machine learning” it’s OK to be optimistic but be cautious. Here are some questions you can ask to see if the machine learning will make your team more productive:

  • How does the vendor help the algorithm focus on the important elements? How do they help their technology understand the data to reach the right conclusions?
  • How do they avoid a high rate of false positives? For example, if their machine learning algorithms find “an anomaly” what are the chances it’s a true positive?
  • How does the vendor make its alerts or findings actionable?

4 ways indeni machine learning differs from Splunk

Now that we are on the same page for machine learning, here are four ways that indeni differs from SIEM and Log Management solutions such as Splunk.

#1 indeni ingests configuration data in addition to statistics and logs of devices.

Collecting greater depths of information on devices and the software running on them allows indeni to identify issues with greater accuracy.

#2 indeni has the largest database of device knowledge.

indeni has a growing repository of known infrastructure issues and resolution steps for the largest Enterprises. This information is gathered from our customers, indeni engineers and third party experts around the globe. How does this help on a daily basis?

  • Root cause analysis: Instead of coming up with a hypothesis and then building a query in Splunk so that you can schedule alerts when the same log or event occurs, indeni has the knowledge built into its core alerting system, no scripting or queries required.
  • Troubleshooting: When you receive an alert in indeni, in addition to telling you the affected device or error code, indeni provides a human readable description, the implication of not addressing the event and steps to resolution, helping network and security operations teams prioritize focus areas and shorten the mean time to resolution.

#3 indeni connects admins and engineers across the globe

In addition to applying machine learning to the data in your environment, indeni learns from other indeni customers and applies those learnings to your indeni instance. Our users subscribe to a service called “indeni Insight,” which sends data from their environment to our central repository. The data is sanitized and contains general device characteristics and behavior information. For example what model the device is, what software is running on it, which features are enabled, the status of licenses or contracts, running metrics (CPU, memory, etc.), system logs, active users and much more. The result for administrators and engineers? It’s like leveraging the expertise of thousands of your IT operations friends at Fortune 500 companies.

#4 indeni’s algorithmic model is based on the assumption 99.9% of the time devices are working as expected.

Based on our experience as network and security professionals, we know a device malfunctions only 0.1% of the time. In addition, it is widely documented that 70% of network outages occur due to device misconfigurations. These two constraints are built into our machine learning algorithm which allow us to reduce false positives, saving our customers time and money.

At a glance: indeni vs. Splunk

  • indeni and Splunk ingest data from a variety of devices
  • indeni and Splunk machine learning are based on algorithmic models
  • indeni and Splunk machine learning correlate data
  • indeni ingests configuration data in addition to statistics and logs of network devices
  • indeni has the largest database of device knowledge
  • indeni connects admins and engineers with each other
  • indeni’s algorithmic model is based on the assumption that 99.9% of the time devices are working as expected. We help you find the .1%


indeni is capable of identifying specific issues, which pertain to specific types of products and even specific software builds, at a level of accuracy and actionability never seen before. With indeni customers can find health and operational issues before they happen in their infrastructure, proactively handle them and have a better life. Interested in trying indeni in your environment? Contact us or engage with one of our registered partners.

Comparing indeni and BackBox: In-depth intelligence vs simplicity

Safeway, a company headquartered in Rosh-Haain, Israel, has recently released BackBox version 4.5. In this new version, BackBox includes “Application level monitoring”, capable of providing “insight regarding the devices’ health, and run preemptive scans to determine upcoming problems.”. Naturally, this has caused a handful of users to ask us how does indeni and BackBox compare. This is fantastic as more and more customers are looking to stay ahead of their issues and avoid the next outage.

The Origin of BackBox’s technology

Historically, BackBox was focused on backing up devices – as many as possible. BackBox’s claim to fame was its simplicity and the fact that it could cover an impressive range of devices. Included in the software were the instructions for how to automatically backup dozens of network devices, as well as the documentation for how to restore those backups. With release 4.0, BackBox received a UI face lift as well as a re-written infrastructure in Java.

Continue reading

Cisco vs Palo Alto Networks: The Hidden Battle


In my conversations with firewall users I often hear references to the “battle of the titans” between Check Point and Palo Alto Networks. Both are leaders in the Gartner Magic Quadrant, their security technologies are often compared and the marketing slander has been seen often in all the different mediums.

As everyone is aware, PANW’s aggressive growth outpaces the growth of the firewall market. This means that a large portion of the growth is coming from the displacement of their competitors. A point PANW’s CEO, Mark McLaughlin, made recently.

However, very little attention has been given to this:


The sum of the percentages is greater than 100% as some customers migrated from multiple vendors to PANW.

Continue reading

Check Point appliances refresh: how do you compare?

We often get asked if we have data pertaining to the upgrade processes and cycles of Check Point users around the world. The short answer is, YES. The longer one, is that thanks to our indeni Insight service we get a deep view into the Check Point firewall user base. Once in a while, we publicly share the findings we’ve come to based on that data, like we did last September.

Today we’ll take a look at the appliance refresh process across our user base. Apparently the 2012 (and later) appliances are gaining a stronger foothold with almost three quarters of the Check Point firewalls indeni is connected to being these newer appliances. This is in contrast to less than half, just 10 months ago (see the September report referenced above).

This is a pretty good ratio, considering most older appliances still have until April 2017 before they reach end of support.

In our daily conversations with Check Point customers (some, who are not indeni customers, yet) we see that summer-time is being utilized to complete hardware and software upgrades. It is usually a more relaxed time and easier for the higher ups to approve maintenance windows. It is also before the holiday season, a time of change freeze for most companies.

During this process, we suggest you keep in mind that the recommended way of upgrading a Check Point firewall is through a complete rebuild, even in the case of just a software upgrade. This is better than simply backing up the firewall configuration and restoring it. It is possible because most of the interesting configurations – the security policy – are actually stored on the management server.

However, this approach can also result in issues – routes that are missing, kernel parameters that are no longer set the way they should, SecureXL settings that have been lost, etc. So be extra careful and test things thoroughly before putting the new firewalls in production, as well as after. The list of top 10  issues people run into when working with Check Point firewalls can be found here.

Happy upgrading!

Comparing indeni and Check Point’s SmartWorkflow and Compliance blades

The summary:

SmartWorkflow helps you track your rulebase, the Compliance blade helps you identify specific configurations that are not in compliance with known security regulations. Both exist in order to ensure your firewall configuration is secure and so, your network is secure. indeni’s role is to make sure your firewall works – performance, log flow, routing, kernel parameters, SIC connectivity, licensing, contracts, etc.

Therefore, indeni is an amazing fit with your SmartWorkflow and Compliance blades.

The longer version:

This image was copied from


From “The Check Point SmartWorkflow Software Blade provides a seamless and automated process for policy change management that helps administrators reduce errors and enhance compliance. Enforce a formal process for editing, reviewing, approving and auditing policy changes from a single console, for one-stop, total policy lifecycle management.”

What that means is that you have a way of tracking changes made to the firewall rulebase (policy) to ensure that these changes are being done in the correct way. The reason for doing this is simple: the firewall is the gatekeeper to your network and you want to make sure that the traffic it lets in is the one you want it to.

indeni has no ability to track the firewall policy or identify changes to the rules. We have specifically refrained from doing that as we know the market has very capable solutions for dealing with this challenge – some provided by the firewall manufacturer (like SmartWorkflow) and some by third parties.

Compliance Blade:
From “The Check Point Compliance Software Blade monitors your management, Software Blades and security gateways to constantly validate that your Check Point environment is configured in the best way possible. The Check Point Compliance Software Blade provides 24/7 security monitoring, security alerts on policy violations, and out-of-the-box audit reports.”

So the compliance blade is there to make sure you are in compliance with the variety of regulations that you must adhere to – DSD, HIPAA, PCI DSS, etc. Each of those regulations lists a set of requirements that must be followed on your firewalls – from ensuring stateful inspection is used to how connections are timed out. Each regulation has a different set and there’s some overlap between them.

indeni focuses on the operational health of the firewall, as well as OS-level configurations that need to be done for compliance purposes (like what users are defined). Therefore, it augments the compliance blade by ensuring that the firewall isn’t only secure and following security best practices, but also alive and kicking.

The bottom line:

indeni is a great fit with the SmartWorkflow and Compliance blades. It ensures that your security meets standards and regulations and your network is up and running without issues. With indeni, you can find all of the issues listed below, which you cannot find with the SmartWorkflow and Compliance blades:

  1. Gateway cannot access certificate authority
  2. Policy installation resulted in high CPU load cluster may failover
  3. Firewall log file increase rate critical – possible connectivity loss to log server
  4. Firewall kernel table limit approaching or reached
  5. ClusterXL member is in a critical state
  6. Cluster member down due to NIC error
  7. Some received packets have been dropped by NIC (SA#24915)
  8. High memory usage
  9. DNS servers configured but responding too slowly
  10. Use of NTP servers configured but not operational
  11. Firewall Connection Table Limit Approaching or Reached
  12. A NIC has failed recently (SA#24915)
  13. RX traffic drastically reduced post fail over possible ARP issue
  14. Two cluster members differ in their routing tables (SA#66322)
  15. DNS server resolution test failed
  16. NAT connections (fwx_alloc) table limit approaching or reached
  17. Errors have been found in packets transmitted by NIC (SA#24915)
  18. ARP table is approaching its limits (SA#25890)
  19. VPN gateway is dropping unexpected packets (SA#22255)
  20. NIC duplex set to half with speed of 10mbps or 100mbps (SA#24967)

Gartner’s Magic Quadrant Enterprise Firewall Comparison

DISCLAIMER: indeni has no specific bias towards one manufacturer or the other, but please keep in mind indeni currently supports firewalls made by Cisco, Check Point, Fortinet, Juniper and Palo Alto Networks.

Gartner has just released its magic quadrant for Enterprise Network Firewalls. Two leaders were identified – Check Point (CHKP) and Palo Alto Networks (PANW) – congratulations to both!! You can access reprints via Check Point’s website as well as Palo Alto Networks’ website.

It is very interesting to read this report as much of it correlates highly with what we’re seeing in the market through indeni Insight as well as our own sales and marketing efforts. Kudos to Gartner, and specifically Adam Hils, Greg Young and Jeremy D’Hoinne, for doing a great job here.

Here are our insights:

  • Cisco is not labeled a leader by Gartner due to execution on the product side but we definitely see it as one of the top three by market share. Almost every customer we interact with has some Cisco ASAs, where some customers are entirely Cisco ASA based. We do see, though, that such customers’ functionality requirement from their firewalls is minimal as they either don’t put much focus on security or they augment the Cisco ASAs with other security products (Sourcefirce, Fireeye, etc.).Cisco has the largest channel and is the most established manufacturer in the market. As a result they have the most leverage and ability to get into specific customers.


  • Check Point is indeed one of the leaders on functionality. The set of different security functions that a Check Point firewall has is enormous. Some of these are a result of acquisitions, some developed in-house. There is a lot of effort on Check Point’s side to integrate these functions into a single management interface (and R80 is part of this). However, we do see users getting overwhelmed with the amount of functions and keeping up with their configurations. Almost every single multi-billion-dollar company we speak with, and many smaller organizations, use Check Point across at least part of their network.Price has been mentioned by customers repeatedly as an issue. Price sensitivity is less common in Fortune 500 but more common in smaller organizations or ones outside of the US (the majority of the market). Usually it is coupled with a lesser need for top-notch security. The note Gartner made regarding under-sizing appliances is something we’ve seen as well. Check Point is making efforts to deal with this with tools such as CPsizeme but it looks like undersizing is indeed occurring to reduce price. That is resulting in some frustration with customers.


  • Fortinet is a strong vendor in this market too. We see Fortinet a lot more in environments where there is either price-sensitivity or high performance requirements. This means that Fortune 500 (which are all US-based) tend to choose Fortinet less as they aren’t as price sensitive. We do see Fortinet quite a bit in smaller organizations as well as quite heavily outside the US (where price sensitivity is a real issue).Fortinet’s high-performance gear is a big attraction for enterprises with extremely large amounts of traffic. Their larger chassis can support unusually high amounts of traffic, however mostly when a smaller set of features are enabled. This is a great fit for data centers as the most security functions are deployed outside of the core, leaving the Fortinet chassis to focus on firewalling, switching/routing and basic security functions.


Download our free ultimate runbook and learn how to stop monitoring your network and start predicting issues to prevent high impact events.


  • Juniper has its old line of SSGs/ISGs and the newer SRX line. While we see the SSGs quite often, because in reality they very rarely fail and no one sees a reason to replace them, the SRXs should be the focus of this analysis. JunOS-running SRX are mostly deployed in smaller environments because, in our experience, SRXs are considered as a simpler firewall. Across the board, anyone who has ever used JunOS loves it. It’s easy to use and highly responsive.Customers are showing real concern around Juniper’s roadmap for security devices. While the other vendors are promoting new features increasingly, Juniper is quite silent on these. As a result, customers who are seeking security innovation are looking at alternatives. Moreover, Juniper’s SSL VPN was once the best perceived SSL VPN product, but the recent divestment is causing customers to see the end of the road for it and consider firewalls’ support for SSL VPN as a replacement.


  • Palo Alto Networks is the fastest growing vendor in this space. Their marketing machine is the best across the vendors we are familiar with – measured by the number of customers we interact with which are discussing Palo Alto Networks’ offering (even if they are not users yet). With a whole range of features offered, most customers are still at the firewall/App-ID/User-ID level. Wider deployment of the other features isn’t main-stream yet. Customers are generally very positive towards the additional security features provided by Palo Alto Networks’ firewalls.A very interesting situation we’ve noticed is that Palo Alto Networks’ customers love them and show far more appreciation to them as a manufacturer than others. Palo Alto Networks is putting a lot of emphasis on the end-user experience – through their online marketing, field marketing, channel, field sales and support services, in addition to the product itself – and it is paying off. This is resulting in cases where even though multiple solutions were comparable, customers chose Palo Alto Networks as they were drawn to them. Keep in mind that this is supported by a solid security product.

Throughout the report Gartner mentions issues around quality and support services provided by some of the manufacturers. In reality – all of the customers we speak with complain about this across all product lines. They feel that vendors are working day and night to push out new functionality and keep up with their competitors, while at the same time disregarding quality and making the products far more complicated to operate and keep stable. Our recommendation to the vendors is to take this note very carefully and close to heart as the current trend in quality/complexity issues is taking the entire industry in a problematic direction.

Comments are very welcome, please share your thoughts below.

Zabbix vs indeni Comparison. Proactive Monitoring vs Automated in-Depth Root Cause Analysis

Zabbix is a great tool. I’ve had the pleasure of encountering it at several of our customers’ sites and have seen it in action. It’s one of those tools that can really scale and give you the ability to see your entire estate – servers, database, network devices – and even quickly respond to certain events.

I’ve been recently asked “How does Zabbix specifically compare with indeni?” and thought I’ll spend the time to write up this post, in case others find it useful.

If one looks at the list of features on Zabbix’s website, they include this (as of Oct 29 2014):

Proactive Monitoring
Improve the quality of your services and reduce operating costs by avoiding downtime.

Looking more closely at Proactive Monitoring, you will find that Zabbix aids Proactive Monitoring by alerting (duh), allowing an automated response (nice), a means of escalating alerts (like forwarding an email), a way of recording notes on an alert (how is this proactive?) and useful information on the host (nice). In my view – none of this is proactive. To be proactive, you need to get notified (an alert) before something breaks and take action to solve it.

From Mirriam-Webster dictionary, Proactive means:
acting in anticipation of future problems, needs, or changes

So while Zabbix touts Proactive Monitoring, it does nothing of the sort. It doesn’t let you act ahead of future problems.

And THAT is the main problem indeni is solving for Zabbix users. indeni identifies problems before they result in downtime and lets users take action on them. We try to make indeni’s alerts as actionable as possible. Whenever we (or one of our users) see an alert isn’t actionable enough, we improve on it. At the end of the day, it’s all down to the knowledge base indeni holds.

Bottom line for Zabbix users: keep your existing system (and investment) going and add indeni to gain true proactivity. Don’t worry, indeni can report back into Zabbix (vis SNMP Traps) so you don’t need two dashboards.

Only one way to find out which tool is best. Try us out for free and see the difference in coverage and visibility only indeni can provide. 

How to Keep a Bouncer Healthy – Comparing Algosec/Firemon/Tufin vs indeni

Many of our users work in the information security operations departments of mid-size to very large enterprises. As such, they regularly work with Check Point firewalls (which indeni supports), When you work with a firewall, you need to make sure the rule base matches the organization’s security policies.

To help with that, there are companies such as Algosec, Firemon and Tufin, that have developed solutions for monitoring changes in the rule base and building a workflow around the on-going work done with it. While I hope these companies will excuse me for referring to them as a group (I’m sure each of them considers itself as the best in class, rightfully so), we see them as a group because they fulfill a certain need.

indeni fulfills a very different need. The best way to understand it is to imagine the firewall being a bouncer at a party. The Algosec/Firemon/Tufin solutions help make sure the bouncer knows who to let in and who not to. indeni makes sure the bouncer stays alive, healthy, and can do his/her job.

Therefore, every user of Algosec/Firemon/Tufin should look into indeni. We are complimentary solutions that together ensure your firewall will achieve the security goals you have set for it while at the same time ensuring the firewall doesn’t become a source of traffic loss and downtime.

Note that there is one major difference in the way indeni is set up: indeni must be able to reach every single firewall on the network directly. Connecting to the management servers (such as Check Point’s Provider-1/MDM) is not sufficient for indeni to be able to truly analyze the health of the firewalls.

Another difference is that indeni isn’t directed solely at security devices. indeni can cover the networking aspects of routers and switches (not just ACLs) as well as devices like F5’s load balancers. Adding this entire variety of devices to indeni’s analysis engine will allow you to identify cross-device issues. For example, a Check Point firewall cluster failover can go very wrong if the routers around it are dropping GARP replies. We identify that as part of our on-going analysis and are unique in that capability.

Bottom line: if you are an Algosec/Firemon/Tufin customer, you should seriously look into indeni as a means of providing you an overall solution for getting your job done. It takes just 45 minutes to see indeni in action on your network.