SlideShare ist ein Scribd-Unternehmen logo

Apache metron meetup presentation at capital one

G
gvetticaden

Deck Presented at the Apache Metron Meetup in the DC Area at Capital One

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Apache Metron Meetup & Code Lab George Vetticaden Principal Architect @ Hortonworks Apache Metron Committer James Sirota Engineering Lead & Chief Data Scientist @ Hortonworks Apache Metron Committer
Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
Metron
Page4 The Good Guys Security Practitioner I have too many tools I need to learn I don’t have a centralized view of my data My tools are too expensive I can’t find enough talent I can’t keep relying on static rules I need to discover bad stuff quicker Most of my alerts are false positives I have too many manual tasks SOC Manager Threat landscape too dynamic More assets/users to manage Attack surface increases Legacy techniques don’t work anymore Metron will make it easier and faster to find the real issues I need to act on Metron is a more cost effective way for my team to deal with the fast moving threat landscape
Page5 The Bad Guys Advanced Persistent Threat Script Kiddie My techniques are predictable and known My attack vectors are also known You are not the only person I’ve attacked I brag about what I did or will do I set off a large number of alerts I fumble around a lot I am very unique in a way I do things I live on your network for about 300 days I know what I am after and I look for it, slowly Your rules will not detect me, I am too smart I impersonate a legitimate user, but I don’t act like one Metron can take everything that is known about me and check for it in real time Metron can model historical behavior of whoever I am impersonating and flag me as I try to deviate
Page6 Problems With Existing Tools Security Information Management System I am prohibitively expensive I have vendor lock-in I can’t deal with big data I am not open I am not extensible enough Legacy Point Tools I was built for 1995 I am super specialized I don’t scale horizontally I have a proprietary format You need a PhD to operate me Behavioral Analytics Tools I am mostly vapor ware I was built by a small startup I was modeled after a data set from 1999 I spam you with false positives
Page7 Apache Metron Vision “Apache Metron is a Security Data Analytics Platform (SDAP). As a next generation security analytics framework, it is designed to consume and monitor network traffic and machine data within an enterprise. Apache Metron is extensible and is designed to work at a massive scale. It is not a SIEM but rather the next evolution of a SIEM.” Apache Metron provides the following capabilities:  Extensible spouts and parsers for attaching Apache Metron to monitor any telemetry source  Extensible enrichment framework for any telemetry stream  Hadoop-backed storage for telemetry stream with a customizable retention time  Automated real-time index for telemetry streams enabling real-time search  Telemetry correlation and SQL query capability for data stored in Hadoop backed by Hive  ODBC/JDBC compatibility and integration with existing analytics tools
Challenges that Apache Metron Solves 60%: Percent of breaches that happened in minutes 8 months: Average time an advanced security breach goes unnoticed $400 million in estimated financial loss in 2015 70%-90%: Percentage of malware in breach unique to organization 2015 Verizon Data Breach Investigations Report • Too expensive to keep data for enough time to understand history • Not enough of the right data to provide context • Too expensive to collect all the desired data to understand context • Not sure if can detect a targeted event. • Too many events to review in timely manner • Not enough staff to review events in a timely manner
Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
Real-time Processing Engine PCAP NETFLOW DPI IDS AV EMAIL FIREWALL HOST LOGS PARSE NORMALIZE TAG VALIDATE PROCESS USER ASSET GEO WHOIS CONN ENRICH STIX Flat Files Aggregators Model As A Service Cloud Services LABEL PCAP Store ALERT PERSIST Alert Security Data Vault Apache Metron Logical Architecture Network Tap Custom Metron UI/Portals Real-Time Search Interactive Dashboards Data Modelling Integration Layer PCAP Replay Security Layer Data & Integration Services Apache Metron
Page11 Sensor A Sensor B Sensor N Topic A Topic B Topic (N) Apache Kafka PCAP PCAP Probe Physical Architecture Normalizing Topology A Normalizing Topology B Normalizing Topology N Apache Storm Native Format Native Format Native Format PCAP on HDFS Metron PCAP Service PCAP Topology Enrich Normalized Metron Format Enrichment/ Threat Intel Topology Out to Index + HDFS
Page12 Topic A Normalizing Topology A Sensor A Native Format Apache Kafka Apache Storm Kafka Spout Parser Kafka Bolt Enriched Metron JSON Parsing/Normalization Topology Key Points: • Each New Telemetry Data Source will have its own Parser Topology • Two types of Parsers available: Grok and Java
Page13 2 Types of Parsers Parser Type Description Telemetry Type Grok • A grok is a collection of named regular expressions. • Provides a declarative way to write new parsers without any code • A parser takes an input, which is usually a byte array coming from the Kafka Spout, and turns it into a Metron JSON Object. • The Grok parser does this by utilizing the Grok library inside of the Parser Kafka Bolt Adapter. • Use this parser when telemetry is simple to parse or low in volume Java • Java based approach to writing a custom parsers • Use this parser when telemetry is complex to parse or high volume
Page14 Metron JSON Object • Numerous sensors log in different formats. The parser should normalize at least the following subset of fields to the following Metron JSON naming conventions:
Page15 Enrich ment Bolt(a) Enrich ment Bolt(n) Threat Intel Joiner Message Splitter: Enrichment Enrich ment Joiner Message Splitter: Threat Intel Model Bolt (n) Threat Intel Bolt (n) Metron Enrichment Loader Framework Metron Threat Loader Framework Data Store Fast Cach e Fast Cach e Fast Cach e Fast Cach e Data Store Enrichment Topology Apache Kafka Enriched Writer Bolt = Message Stream Apache Storm = Enrichment Stream Enrichment Topology
Page16 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
Page17 Personas
Page18 Metron’s Key Functional Themes Platform Work done to harden the platform for performance, scale, extensibility and maintainability. This also includes capabilities around provisioning, managing and monitoring the application. Set of Data Sources that Metron provides capabilities to stream, ingest and parse into the platform. A set of Storm Topologies to perform various actions in real-time including: normalization of telemetry data, enrichment, cross reference with threat intel feeds, alerting, indexing, and persisting into Historical stores Data Collection Data Processing UI Set of portal, dashboard and user interfaces for the different personas.
Page19 Target Personas and Themes for Apache Metron 0.1 T e c h P r e v i e w 1 - I n t r o Theme: Platform Theme: Data Collection Theme: Data Processing Theme: UI Security Platform Engineer Security Platform Engineer Security Platform Engineer SOC Investigator Security Platform Engineer SOC Investigator Forensic Investigator SOC Investigator SOC Analyst SOC Manager
Page20 • Fully automated vagrant install of Metron on a single VM • Fully automated install of Metron on multi-node HDP cluster via Ansible scripts, Ambari blueprints and APIs including: • Multi-node Elastic Search Cluster • Metron-UI Web Application • Deployment of the Metron Storm Topology • Deployment of telemetry sensors: PCAP, Bro, YAF(Netflow), Snort • OpenSOC redesign (new topology structure, extensible enrichments, threat intel, data loads, configs, ease of adding new topologies) Platform Data Collection • Ingestion of the following data sources: PCAP via pycapa or C++ DPDK probe, Bro, Netflow via YAF, Snort • Parsers for the following data sources: PCAP, Bro, Netflow & Snort Data Processing • Support for the following enrichment services: Geo, WhoIs, Host • Threat Intelligence Message enrichment - Enrich messages with fields that mat the threat intelligence data in HBase • Support for the following persistence services: HDFS, HBase and Elastic Search • Indexing events and Alerts into Elastic Search cluster • Support for Soltra(CIF) Threat Aggregator Services via STIX and Taxii Feed • Ability to replay PCAP files for Testing UI • Metron Investigator UI to search across indexed events and alerts for SOC Analyst & Investigators • Histogram Panels for each of the data sources (YAF, Bro, Snort) • Table Views for Alerts (YAF, Bro, Snort) • Customize new panels with different data sources and different panel types. Key Features of Apache Metron 0.1
Page21 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
Page22 Why Metron? SOC Analyst Perspective Looking through alerts 25% Collecting contextual data 25% Formulating a Hypothesis 5% Investigate 20% Remediate 15% Update Workflow 5% Wrte Report 5% ANALYST WORKFLOW • Alerts Relevancy Engine • Smarter ML alerts • Centralized Alerts Console • Enriched with threat intel data • Fully enriched messages • Single pane of glass UI • Centralized real-time search • All logs in one place • Granular access to PCAP • Replay old PCAP against new signatures • Tag behavior for modelling by data scientists • Raw messages used as evidentiary store • Mine investigation history • Asset inventory as an enrichment • User identity as an enrichment • Workflow engine • Ticket clustering Everything you need to know in one place
Page23 Why Metron? Data Scientist Perspective Formulating a Hypothesis 5% Finding Data 20% Cleaning Data 20% Munging Data 20% Visualizing Data 20% Modelling Data 10% Validating Model 5% DATA SCIENCE WORKFLOW • All my data is in the same place • Data exposed through a variety of APIs • Standard Access Control Policies • Quickly see what I have • Metron normalizes objects • Partial schema validation on ingest • Tagging on ingest • Automatic data enrichment • Automatic application of class labels • Common Metron Objects • Massively parallel computation framework • Reusable Zeppelin Dashboards • Real-time search + UI • Integration with Python/R • Integration with analytics tools Reducing time from hypothesis to model
Page24 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
Page25 Use Case Setup • Scenario • Customer Foo has installed Metron TP1 and they are using the out of the box data sources (PCAP, YAF/Netflow, Snort and Bro). They love Metron! • But now they want to add new data source the the platform: squid proxy logs. • Customer Foo’s requirements are the following 1. Need to ingest the proxy events from Squid logs in real-time 2. The proxy logs has to be parsed into a standardized JSON structure that Metron can understand 3. In real-time, the squid proxy event needs to be enriched with domain/whois information (domain, cert, country, company) 4. In real-time, the domain of the proxy event must be checked against for threat intel feeds 5. If there is a threat intel hit, an alert needs to be raised 6. The end user must be able to see the new telemetry events and the alerts from the new data source
Page26 Squid & its Telemetry Event • What is Squid? • Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages • What does a Squid Access Log look like? • When you make an outbound http connection to https://www.cnn.com, the following entry gets added to a file called access.log: Unix Epoch Time IP of host where connection was made. The domain name of the outbound connection 1461576382.642 161 98.220.218.158 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html
Page27 What Metron does to the Squid Telemetry Event in Real-time Convert from Unix Epoch to Timestamp Use Metron’s asset enrichment to enrich that IP (hostname, type of device) Use Metron’s WhoIs enrichment To look up domain name information (e.g: Use the Metron’s Threat Intel Services to cross-reference the IP with threat intel feed to see if there is a hit 1461576382.642 161 127.0.0.1 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html Index the event into Elastic and persist into HDFS (Security Data Vault)
Page28 Real-time Processing Engine Squid Logs PARSE NORMALIZE TAG VALIDATE PROCESS USER ASSET GEO WHOIS CONN ENRICH STIX Flat Files Aggregators Model As A Service Cloud Services LABEL PCAP Store ALERT PERSIST Alert Security Data Vault Real-Time Search Interactive Dashboards Data Modelling Integration Layer PCAP Replay Security Layer Data & Integration Services Tracing the Squid Event across the Platform Custom Metron UI/Portals
Page29 Step 1: Telemetry Ingest (Tracing an Event) 1461576382.642 161 98.220.218.158 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html
Page30 Step 2 – Process/Parse (Tracing an Event)
Page31 Step 3 – Enrich (Tracing an Event)
Page32 Enriching Data Architecture Metron Enrichment Store (HBase/) Enrichment Loader Framework Bulk Load Polling Enrichment Source Storm Bolt Cache Metron Streaming Messages Enriched Metron Streaming Messages
Page33 Step 4 – Label/Threat Intel (Tracing an Event) Threat Intel Store (HBase) Threat Intel Loader Framework Bulk Load Polling Storm Bolt Cache Metron Streaming Messages (Enriched) Enriched Metron Streaming Messages (Enriched) + Threat Intel Hits Threat Intel Feed Source (Optional) Threat Intel Aggregator
Page34 High level Steps – How to Add the New Telemetry 1. Create new Kafka topic for the new telemetry source called “squid” 2. Create and validate a grok statement file that parses the squid event log into a format that Metron can understand 3. Store that grok statement in HDFS 4. Create a new flux configuration for the new Squid parser Storm Topology. 5. Update Zookeeper with configuration to mark what fields in the telemetry to enrich and what fields to cross- reference with threat intel feeds. 6. Move the flux configuration to the host where you will deploy the topology. 7. Deploy the new squid Storm parser topology using the new flux configuration 8. Load WhoIs enrichment data and configure enrichment mapping 9. Load Threat Intel data and configure threat intel matching mapping 10. Use Apache Nifi to capture the squid events and push them into Metron 11. Create a new Panel in Kibana and see the telemetry events Key Points Easy Extensibility – The ability to add new data source without writing any code and in an easy mann Repeatable Pattern - The following represents a repeatable pattern that you can apply to most data s

Empfohlen

Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An IntroductionBaban Gaigole
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOCJames Sirota
 
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Carolyn Duby
 
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Lucidworks
 
Apply big data and data lake for processing security data collections
Apply big data and data lake for processing security data collectionsApply big data and data lake for processing security data collections
Apply big data and data lake for processing security data collectionsGregory Shlyuger
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Performing Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopPerforming Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopDataWorks Summit
 
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...DataWorks Summit
 

Empfohlen

Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An IntroductionBaban Gaigole
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOCJames Sirota
 
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Carolyn Duby
 
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Lucidworks
 
Apply big data and data lake for processing security data collections
Apply big data and data lake for processing security data collectionsApply big data and data lake for processing security data collections
Apply big data and data lake for processing security data collectionsGregory Shlyuger
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Performing Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopPerforming Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopDataWorks Summit
 
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...DataWorks Summit
 
Security From The Big Data and Analytics Perspective
Security From The Big Data and Analytics PerspectiveSecurity From The Big Data and Analytics Perspective
Security From The Big Data and Analytics PerspectiveAll Things Open
 
A Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsA Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsBigPanda
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDataWorks Summit
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniquesDataWorks Summit
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)Open Analytics
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in ActionHao Chen
 
Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016Edward Zhang
 
What’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTWhat’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTSplunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk AdministrationGreg Hanchin
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
Analysis of Major Trends in Big Data Analytics
Analysis of Major Trends in Big Data AnalyticsAnalysis of Major Trends in Big Data Analytics
Analysis of Major Trends in Big Data AnalyticsDataWorks Summit/Hadoop Summit
 
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and MetricsHow Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and MetricsSumo Logic
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security DataWorks Summit/Hadoop Summit
 
Apache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurityApache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurityHortonworks
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security From The Big Data and Analytics Perspective
Security From The Big Data and Analytics PerspectiveSecurity From The Big Data and Analytics Perspective
Security From The Big Data and Analytics PerspectiveAll Things Open
 
A Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsA Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsBigPanda
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDataWorks Summit
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniquesDataWorks Summit
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)Open Analytics
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in ActionHao Chen
 
Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016Edward Zhang
 
What’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTWhat’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTSplunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk AdministrationGreg Hanchin
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and MetricsHow Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and MetricsSumo Logic
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 

Was ist angesagt? (20)

Security From The Big Data and Analytics Perspective
Security From The Big Data and Analytics PerspectiveSecurity From The Big Data and Analytics Perspective
Security From The Big Data and Analytics Perspective
 
A Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsA Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOps
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware Expression
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data Analytics
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniques
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilson
 
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in Action
 
Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016Apache Eagle Dublin Hadoop Summit 2016
Apache Eagle Dublin Hadoop Summit 2016
 
What’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTWhat’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINT
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk Administration
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Analysis of Major Trends in Big Data Analytics
Analysis of Major Trends in Big Data AnalyticsAnalysis of Major Trends in Big Data Analytics
Analysis of Major Trends in Big Data Analytics
 
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and MetricsHow Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
How Hudl and Cloud Cruiser Leverage Sumo Logic's Unified Logs and Metrics
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 

Andere mochten auch

Apache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurityApache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurityHortonworks
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the UnionCloudera, Inc.
 
2014 sept 26_thug_lambda_part1
2014 sept 26_thug_lambda_part12014 sept 26_thug_lambda_part1
2014 sept 26_thug_lambda_part1Adam Muise
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
Spatial Analysis On Histological Images Using Spark
Spatial Analysis On Histological Images Using SparkSpatial Analysis On Histological Images Using Spark
Spatial Analysis On Histological Images Using SparkJen Aman
 
War on stealth cyber attacks phishing docusign apache metron
War on stealth cyber attacks phishing docusign apache metronWar on stealth cyber attacks phishing docusign apache metron
War on stealth cyber attacks phishing docusign apache metrongvetticaden
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Credit Fraud Prevention with Spark and Graph Analysis
Credit Fraud Prevention with Spark and Graph AnalysisCredit Fraud Prevention with Spark and Graph Analysis
Credit Fraud Prevention with Spark and Graph AnalysisJen Aman
 
War on Stealth Cyberattacks that Target Unknown Vulnerabilities
War on Stealth Cyberattacks that Target Unknown VulnerabilitiesWar on Stealth Cyberattacks that Target Unknown Vulnerabilities
War on Stealth Cyberattacks that Target Unknown VulnerabilitiesDataWorks Summit/Hadoop Summit
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Apache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup SlidesApache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup SlidesIsheeta Sanghi
 
Fighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache SpotFighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache Spotmarkgrover
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...Spark Summit
 
Double Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSenseDouble Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSenseHortonworks
 

Andere mochten auch (20)

Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security
 
Apache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurityApache Metron Meetup May 4, 2016 - Big data cybersecurity
Apache Metron Meetup May 4, 2016 - Big data cybersecurity
 
Tracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache MetronTracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache Metron
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union
 
Apache Spot
Apache SpotApache Spot
Apache Spot
 
2014 sept 26_thug_lambda_part1
2014 sept 26_thug_lambda_part12014 sept 26_thug_lambda_part1
2014 sept 26_thug_lambda_part1
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Spatial Analysis On Histological Images Using Spark
Spatial Analysis On Histological Images Using SparkSpatial Analysis On Histological Images Using Spark
Spatial Analysis On Histological Images Using Spark
 
War on stealth cyber attacks phishing docusign apache metron
War on stealth cyber attacks phishing docusign apache metronWar on stealth cyber attacks phishing docusign apache metron
War on stealth cyber attacks phishing docusign apache metron
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Credit Fraud Prevention with Spark and Graph Analysis
Credit Fraud Prevention with Spark and Graph AnalysisCredit Fraud Prevention with Spark and Graph Analysis
Credit Fraud Prevention with Spark and Graph Analysis
 
War on Stealth Cyberattacks that Target Unknown Vulnerabilities
War on Stealth Cyberattacks that Target Unknown VulnerabilitiesWar on Stealth Cyberattacks that Target Unknown Vulnerabilities
War on Stealth Cyberattacks that Target Unknown Vulnerabilities
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Apache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup SlidesApache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup Slides
 
Fighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache SpotFighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache Spot
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...
Building a Real-Time Fraud Prevention Engine Using Open Source (Big Data) Sof...
 
Double Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSenseDouble Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSense
 

Ähnlich wie Apache metron meetup presentation at capital one

Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
What are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdfWhat are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdftsaaroacademy
 
Key Open Standards for inter-operable IoT systems
Key Open Standards for inter-operable IoT systemsKey Open Standards for inter-operable IoT systems
Key Open Standards for inter-operable IoT systemsPratul Sharma
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Sri Ambati
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
FiCloud2016 lov4iot second life ontology
FiCloud2016 lov4iot second life ontologyFiCloud2016 lov4iot second life ontology
FiCloud2016 lov4iot second life ontologyAmélie Gyrard
 

Ähnlich wie Apache metron meetup presentation at capital one (20)

Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
What are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdfWhat are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdf
 
Key Open Standards for inter-operable IoT systems
Key Open Standards for inter-operable IoT systemsKey Open Standards for inter-operable IoT systems
Key Open Standards for inter-operable IoT systems
 
BLOCKHUNTER.pptx
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
FiCloud2016 lov4iot second life ontology
FiCloud2016 lov4iot second life ontologyFiCloud2016 lov4iot second life ontology
FiCloud2016 lov4iot second life ontology
 

Kürzlich hochgeladen

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 

Kürzlich hochgeladen (20)

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 

Apache metron meetup presentation at capital one

  • 1. Apache Metron Meetup & Code Lab George Vetticaden Principal Architect @ Hortonworks Apache Metron Committer James Sirota Engineering Lead & Chief Data Scientist @ Hortonworks Apache Metron Committer
  • 2. Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
  • 4. Page4 The Good Guys Security Practitioner I have too many tools I need to learn I don’t have a centralized view of my data My tools are too expensive I can’t find enough talent I can’t keep relying on static rules I need to discover bad stuff quicker Most of my alerts are false positives I have too many manual tasks SOC Manager Threat landscape too dynamic More assets/users to manage Attack surface increases Legacy techniques don’t work anymore Metron will make it easier and faster to find the real issues I need to act on Metron is a more cost effective way for my team to deal with the fast moving threat landscape
  • 5. Page5 The Bad Guys Advanced Persistent Threat Script Kiddie My techniques are predictable and known My attack vectors are also known You are not the only person I’ve attacked I brag about what I did or will do I set off a large number of alerts I fumble around a lot I am very unique in a way I do things I live on your network for about 300 days I know what I am after and I look for it, slowly Your rules will not detect me, I am too smart I impersonate a legitimate user, but I don’t act like one Metron can take everything that is known about me and check for it in real time Metron can model historical behavior of whoever I am impersonating and flag me as I try to deviate
  • 6. Page6 Problems With Existing Tools Security Information Management System I am prohibitively expensive I have vendor lock-in I can’t deal with big data I am not open I am not extensible enough Legacy Point Tools I was built for 1995 I am super specialized I don’t scale horizontally I have a proprietary format You need a PhD to operate me Behavioral Analytics Tools I am mostly vapor ware I was built by a small startup I was modeled after a data set from 1999 I spam you with false positives
  • 7. Page7 Apache Metron Vision “Apache Metron is a Security Data Analytics Platform (SDAP). As a next generation security analytics framework, it is designed to consume and monitor network traffic and machine data within an enterprise. Apache Metron is extensible and is designed to work at a massive scale. It is not a SIEM but rather the next evolution of a SIEM.” Apache Metron provides the following capabilities:  Extensible spouts and parsers for attaching Apache Metron to monitor any telemetry source  Extensible enrichment framework for any telemetry stream  Hadoop-backed storage for telemetry stream with a customizable retention time  Automated real-time index for telemetry streams enabling real-time search  Telemetry correlation and SQL query capability for data stored in Hadoop backed by Hive  ODBC/JDBC compatibility and integration with existing analytics tools
  • 8. Challenges that Apache Metron Solves 60%: Percent of breaches that happened in minutes 8 months: Average time an advanced security breach goes unnoticed $400 million in estimated financial loss in 2015 70%-90%: Percentage of malware in breach unique to organization 2015 Verizon Data Breach Investigations Report • Too expensive to keep data for enough time to understand history • Not enough of the right data to provide context • Too expensive to collect all the desired data to understand context • Not sure if can detect a targeted event. • Too many events to review in timely manner • Not enough staff to review events in a timely manner
  • 9. Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
  • 10. Real-time Processing Engine PCAP NETFLOW DPI IDS AV EMAIL FIREWALL HOST LOGS PARSE NORMALIZE TAG VALIDATE PROCESS USER ASSET GEO WHOIS CONN ENRICH STIX Flat Files Aggregators Model As A Service Cloud Services LABEL PCAP Store ALERT PERSIST Alert Security Data Vault Apache Metron Logical Architecture Network Tap Custom Metron UI/Portals Real-Time Search Interactive Dashboards Data Modelling Integration Layer PCAP Replay Security Layer Data & Integration Services Apache Metron
  • 11. Page11 Sensor A Sensor B Sensor N Topic A Topic B Topic (N) Apache Kafka PCAP PCAP Probe Physical Architecture Normalizing Topology A Normalizing Topology B Normalizing Topology N Apache Storm Native Format Native Format Native Format PCAP on HDFS Metron PCAP Service PCAP Topology Enrich Normalized Metron Format Enrichment/ Threat Intel Topology Out to Index + HDFS
  • 12. Page12 Topic A Normalizing Topology A Sensor A Native Format Apache Kafka Apache Storm Kafka Spout Parser Kafka Bolt Enriched Metron JSON Parsing/Normalization Topology Key Points: • Each New Telemetry Data Source will have its own Parser Topology • Two types of Parsers available: Grok and Java
  • 13. Page13 2 Types of Parsers Parser Type Description Telemetry Type Grok • A grok is a collection of named regular expressions. • Provides a declarative way to write new parsers without any code • A parser takes an input, which is usually a byte array coming from the Kafka Spout, and turns it into a Metron JSON Object. • The Grok parser does this by utilizing the Grok library inside of the Parser Kafka Bolt Adapter. • Use this parser when telemetry is simple to parse or low in volume Java • Java based approach to writing a custom parsers • Use this parser when telemetry is complex to parse or high volume
  • 14. Page14 Metron JSON Object • Numerous sensors log in different formats. The parser should normalize at least the following subset of fields to the following Metron JSON naming conventions:
  • 16. Page16 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
  • 18. Page18 Metron’s Key Functional Themes Platform Work done to harden the platform for performance, scale, extensibility and maintainability. This also includes capabilities around provisioning, managing and monitoring the application. Set of Data Sources that Metron provides capabilities to stream, ingest and parse into the platform. A set of Storm Topologies to perform various actions in real-time including: normalization of telemetry data, enrichment, cross reference with threat intel feeds, alerting, indexing, and persisting into Historical stores Data Collection Data Processing UI Set of portal, dashboard and user interfaces for the different personas.
  • 19. Page19 Target Personas and Themes for Apache Metron 0.1 T e c h P r e v i e w 1 - I n t r o Theme: Platform Theme: Data Collection Theme: Data Processing Theme: UI Security Platform Engineer Security Platform Engineer Security Platform Engineer SOC Investigator Security Platform Engineer SOC Investigator Forensic Investigator SOC Investigator SOC Analyst SOC Manager
  • 20. Page20 • Fully automated vagrant install of Metron on a single VM • Fully automated install of Metron on multi-node HDP cluster via Ansible scripts, Ambari blueprints and APIs including: • Multi-node Elastic Search Cluster • Metron-UI Web Application • Deployment of the Metron Storm Topology • Deployment of telemetry sensors: PCAP, Bro, YAF(Netflow), Snort • OpenSOC redesign (new topology structure, extensible enrichments, threat intel, data loads, configs, ease of adding new topologies) Platform Data Collection • Ingestion of the following data sources: PCAP via pycapa or C++ DPDK probe, Bro, Netflow via YAF, Snort • Parsers for the following data sources: PCAP, Bro, Netflow & Snort Data Processing • Support for the following enrichment services: Geo, WhoIs, Host • Threat Intelligence Message enrichment - Enrich messages with fields that mat the threat intelligence data in HBase • Support for the following persistence services: HDFS, HBase and Elastic Search • Indexing events and Alerts into Elastic Search cluster • Support for Soltra(CIF) Threat Aggregator Services via STIX and Taxii Feed • Ability to replay PCAP files for Testing UI • Metron Investigator UI to search across indexed events and alerts for SOC Analyst & Investigators • Histogram Panels for each of the data sources (YAF, Bro, Snort) • Table Views for Alerts (YAF, Bro, Snort) • Customize new panels with different data sources and different panel types. Key Features of Apache Metron 0.1
  • 21. Page21 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
  • 22. Page22 Why Metron? SOC Analyst Perspective Looking through alerts 25% Collecting contextual data 25% Formulating a Hypothesis 5% Investigate 20% Remediate 15% Update Workflow 5% Wrte Report 5% ANALYST WORKFLOW • Alerts Relevancy Engine • Smarter ML alerts • Centralized Alerts Console • Enriched with threat intel data • Fully enriched messages • Single pane of glass UI • Centralized real-time search • All logs in one place • Granular access to PCAP • Replay old PCAP against new signatures • Tag behavior for modelling by data scientists • Raw messages used as evidentiary store • Mine investigation history • Asset inventory as an enrichment • User identity as an enrichment • Workflow engine • Ticket clustering Everything you need to know in one place
  • 23. Page23 Why Metron? Data Scientist Perspective Formulating a Hypothesis 5% Finding Data 20% Cleaning Data 20% Munging Data 20% Visualizing Data 20% Modelling Data 10% Validating Model 5% DATA SCIENCE WORKFLOW • All my data is in the same place • Data exposed through a variety of APIs • Standard Access Control Policies • Quickly see what I have • Metron normalizes objects • Partial schema validation on ingest • Tagging on ingest • Automatic data enrichment • Automatic application of class labels • Common Metron Objects • Massively parallel computation framework • Reusable Zeppelin Dashboards • Real-time search + UI • Integration with Python/R • Integration with analytics tools Reducing time from hypothesis to model
  • 24. Page24 Part 1 – Overview of Apache Metron • Challenges with Today’s Security Tools to Combat Cyber Attacks • Introduction to Apache Metron • Metron Architecture • Personas and Core Themes • Why Apache Metron? Part 2 – Code Lab: Adding a Net New Data Telemetry Data Source into Metron • Setting up the Use Case for the Code Lab: Tracing a Squid Telemetry through the platform • Get your Metron vagrant VM started • Use Case 1: Adding a net new telemetry data source to Metron • Use Case 2: Enriching Telemetry Data • Use Case 3: Adding/Enriching/Validating with Threat Intel Feeds • Use Case 4: Setting up your IDE and writing Tests Agenda
  • 25. Page25 Use Case Setup • Scenario • Customer Foo has installed Metron TP1 and they are using the out of the box data sources (PCAP, YAF/Netflow, Snort and Bro). They love Metron! • But now they want to add new data source the the platform: squid proxy logs. • Customer Foo’s requirements are the following 1. Need to ingest the proxy events from Squid logs in real-time 2. The proxy logs has to be parsed into a standardized JSON structure that Metron can understand 3. In real-time, the squid proxy event needs to be enriched with domain/whois information (domain, cert, country, company) 4. In real-time, the domain of the proxy event must be checked against for threat intel feeds 5. If there is a threat intel hit, an alert needs to be raised 6. The end user must be able to see the new telemetry events and the alerts from the new data source
  • 26. Page26 Squid & its Telemetry Event • What is Squid? • Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages • What does a Squid Access Log look like? • When you make an outbound http connection to https://www.cnn.com, the following entry gets added to a file called access.log: Unix Epoch Time IP of host where connection was made. The domain name of the outbound connection 1461576382.642 161 98.220.218.158 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html
  • 27. Page27 What Metron does to the Squid Telemetry Event in Real-time Convert from Unix Epoch to Timestamp Use Metron’s asset enrichment to enrich that IP (hostname, type of device) Use Metron’s WhoIs enrichment To look up domain name information (e.g: Use the Metron’s Threat Intel Services to cross-reference the IP with threat intel feed to see if there is a hit 1461576382.642 161 127.0.0.1 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html Index the event into Elastic and persist into HDFS (Security Data Vault)
  • 28. Page28 Real-time Processing Engine Squid Logs PARSE NORMALIZE TAG VALIDATE PROCESS USER ASSET GEO WHOIS CONN ENRICH STIX Flat Files Aggregators Model As A Service Cloud Services LABEL PCAP Store ALERT PERSIST Alert Security Data Vault Real-Time Search Interactive Dashboards Data Modelling Integration Layer PCAP Replay Security Layer Data & Integration Services Tracing the Squid Event across the Platform Custom Metron UI/Portals
  • 29. Page29 Step 1: Telemetry Ingest (Tracing an Event) 1461576382.642 161 98.220.218.158 TCP_MISS/200 103701 GET http://www.cnn.com/ - DIRECT/199.27.79.73 text/html
  • 30. Page30 Step 2 – Process/Parse (Tracing an Event)
  • 31. Page31 Step 3 – Enrich (Tracing an Event)
  • 32. Page32 Enriching Data Architecture Metron Enrichment Store (HBase/) Enrichment Loader Framework Bulk Load Polling Enrichment Source Storm Bolt Cache Metron Streaming Messages Enriched Metron Streaming Messages
  • 33. Page33 Step 4 – Label/Threat Intel (Tracing an Event) Threat Intel Store (HBase) Threat Intel Loader Framework Bulk Load Polling Storm Bolt Cache Metron Streaming Messages (Enriched) Enriched Metron Streaming Messages (Enriched) + Threat Intel Hits Threat Intel Feed Source (Optional) Threat Intel Aggregator
  • 34. Page34 High level Steps – How to Add the New Telemetry 1. Create new Kafka topic for the new telemetry source called “squid” 2. Create and validate a grok statement file that parses the squid event log into a format that Metron can understand 3. Store that grok statement in HDFS 4. Create a new flux configuration for the new Squid parser Storm Topology. 5. Update Zookeeper with configuration to mark what fields in the telemetry to enrich and what fields to cross- reference with threat intel feeds. 6. Move the flux configuration to the host where you will deploy the topology. 7. Deploy the new squid Storm parser topology using the new flux configuration 8. Load WhoIs enrichment data and configure enrichment mapping 9. Load Threat Intel data and configure threat intel matching mapping 10. Use Apache Nifi to capture the squid events and push them into Metron 11. Create a new Panel in Kibana and see the telemetry events Key Points Easy Extensibility – The ability to add new data source without writing any code and in an easy mann Repeatable Pattern - The following represents a repeatable pattern that you can apply to most data s