Tracing - a Journey to Tactical Insights by Florian Kückelkorn

Transcript

1. 1 Tracing A journey to tactical insights Florian Kuckelkorn

2. 2 Speaker Tracing – A journey to tactical insights Florian

   Kuckelkorn Technical Coordinator Florian.Kuckelkorn@gdata.de

3. 3 Content Tracing – A journey to tactical insights o

   Tracing for the non technical audience o Tracing for the technical audience o Post – Processing of traces o Tracing in the scope of G DATA CyberDefense

4. 4 Tracing – A journey to tactical insights Tracing for

   the non-technical audience

5. 5 Tracing – A journey to tactical insights Spans, Traces,

   Post-Processing

6. 6 Crime Scene Tracing – A journey to tactical insights

7. 7 Crime Scene Tracing – A journey to tactical insights

   The Jewel Robbery at the Grand Metropolitan A g a th a C h ris tie s P o iro t - 1 9 2 3

8. 8 Crime Scene Tracing – A journey to tactical insights

9. 9 Tracing – A journey to tactical insights Persons of

   interest

10. 10 Detective Tracing – A journey to tactical insights Arthur

    Hastings Hercule Poirot

11. 11 Jewelry owner & possible suspects Tracing – A journey

    to tactical insights Mr. & Mrs. Opalsen Jewelry

12. 12 Possible suspect Tracing – A journey to tactical insights

    Céléstine – Mrs. Opalsen lady's maid

13. 13 Possible suspect Tracing – A journey to tactical insights

    Chambermaid of grand hotel

14. 14 Tracing – A journey to tactical insights The act

15. 15 Start Tracing – A journey to tactical insights Mr.

    and Mrs. Opalsen are getting ready for the theatre

16. 16 Jewel box Tracing – A journey to tactical insights

    The jewelry is placed in a jewel box

17. 17 Homecoming Tracing – A journey to tactical insights Mr.

    & Mrs. Opalsen return from the theatre

18. 18 Robbery Tracing – A journey to tactical insights The

    Jewelry is gone !

19. 19 Tracing – A journey to tactical insights Solving the

    case by the means of tracing

20. 20 Witness interrogation Tracing – A journey to tactical insights

    Hotel room Mrs. Opalsen Hotel room Mr. & Mrs. Opalsen witness interrogation leads to spans and traces Hotel room Theatre Jewelry Jewelry Box unkown Celestine (maid) Chambermaid Hotel work Dinner with Celestine Hotel work

21. 21 Witness interrogation Tracing – A journey to tactical insights

    Hotel room Mrs. Opalsen Hotel room Mr. & Mrs. Opalsen Post-Processing of span leads to possible suspects Hotel room Theatre Jewelry Jewelry Box unkown Celestine (maid) Chambermaid Hotel work Dinner with Celestine Hotel work

22. 22 Witness interrogation Tracing – A journey to tactical insights

    Hotel room Mrs. Opalsen Hotel room Mr. & Mrs. Opalsen Child_of Spans with details Hotel room Theatre Jewelry Jewelry Box unkown Celestine (maid) Chambermaid Hotel work Dinner with Celestine Hotel work Next room

23. 23 Witness interrogation Tracing – A journey to tactical insights

    Hotel room Mrs. Opalsen Hotel room Mr. & Mrs. Opalsen Child_of Spans with details Hotel room Theatre Jewelry Jewelry Box unkown Celestine (maid) Chambermaid Hotel work Dinner with Celestine Hotel work Next room

24. 24 Witness interrogation Tracing – A journey to tactical insights

    Hotel room Mrs. Opalsen Hotel room Mr. & Mrs. Opalsen Child_of Spans with details Hotel room Theatre Jewelry Jewelry Box unkown Celestine (maid) Chambermaid Hotel work Dinner with Celestine Hotel work Next room

25. 25 Tracing – A journey to tactical insights Tracing for

    the technical audience

26. 26 Observability Tracing – A journey to tactical insights Metrics

    Tracing Logging Request-scoped events Request-scoped metrics aggregatable events D A T A

27. 27 OpenTracing Specification Tracing – A journey to tactical insights

    https://github.com/opentracing/specification/blob/master/specification.md “Traces in OpenTracing are defined implicitly by their Spans. In particular, a Trace can be thought of as a directed acyclic graph (DAG) of Spans, where the edges between Spans are called References.”

28. 28 Span Context Tracing – A journey to tactical insights

    optional: span baggage https://opentracing.io/docs/overview/

29. 29 Tracers Tracing – A journey to tactical insights https://opentracing.io/docs/overview/tracers/

30. 30 Launch Docker Swarm Stacks Tracing – A journey to

    tactical insights Each span one message

31. 31 Raw Spandata Tracing – A journey to tactical insights

32. 32 Raw Spandata Tracing – A journey to tactical insights

33. 33 Raw Spandata Tracing – A journey to tactical insights

34. 34 Raw Spandata Tracing – A journey to tactical insights

35. 35 Tracing – A journey to tactical insights Post-Processing of

    traces

36. 36 Tactical Intel Tracing – A journey to tactical insights

    Tactical Insights Dependencies RED Metrics (Rate, Error, Duration) Distributed Commit ComLayer (Waittime, …) AutoScaling Anomaly detection Feature extraction DataScience (manual) Run-Time analysis Message-loss recursive chain DataScope Knowledge Base

37. 37 Stream Processing – Core Concept Tracing – A journey

    to tactical insights Stream Processing

38. 38 Stream Processing – Core Concept Tracing – A journey

    to tactical insights Simple Event Processing (SEP) Route, Filter, Enrich

39. 39 Stream Processing – Core Concept Tracing – A journey

    to tactical insights Event Stream Processing (ESP) min, max, avg

40. 40 Stream Processing – Core Concept Tracing – A journey

    to tactical insights Complex Event Processing (CEP) Patterns, Stateful, Joins

41. 41 Tracing – A journey to tactical insights Apache Flink

    1.10 Stateful Computations over Data Stream

42. 42 Apache Flink Tracing – A journey to tactical insights

43. 43 Tracing – A journey to tactical insights Tracing in

    the scope of G DATA CyberDefense

44. 44 G DATA CyberDefense AG Tracing – A journey to

    tactical insights • German IT Security company • Founded 1985 in Bochum • ~ 500 employees

45. 45 G DATA CyberDefense AG Tracing – A journey to

    tactical insights • G DATA CyberDefense AG • First commerical AV software 1987 • Today broad product portfolio B2B / B2C • G DATA Advanced Analytics • Founded 2015 • Security Consulting, Incident Response, Malware Analysis

46. 46 Some internal metrics Tracing – A journey to tactical

    insights No Sampling -> 250 GB per day 0,1 % Sampling -> 1 GB per day

47. 47 Tracing Prototype Tracing – A journey to tactical insights

    https://github.com/GDATASoftwareAG/DevOpsGathering2020

48. 48 Top Level Tracing – A journey to tactical insights

    Sample Processing

49. 49 Services Tracing – A journey to tactical insights Sample

    Ingester Dynamic Analyser Statical Analyser Classificator

50. 50 TopLevel Events Tracing – A journey to tactical insights

    NEW_SAMPLE_RECEIVED SAMPLE_RECEIVED SANDBOX_RUN_COMPLETE STATICAL_ANALYSIS_COMPLETE SAMPLE_CLASSIFIED

51. 51 Implementation Tracing – A journey to tactical insights Sample

    Ingester Dynamic Analyser Statical Analyser Classificator Kafka NEW_SAMPLE_RECEIVED

52. 52 Top Level Trace Tracing – A journey to tactical

    insights Sample Ingest Statical Analyser Dynamical Analyser Classificator Sample Processing

53. 53 Launch Docker Swarm Stacks Tracing – A journey to

    tactical insights docker swarm init

54. 54 Jaeger Collector General Tracing Architecture Tracing – A journey

    to tactical insights Jaeger Agent Services Post Processing Jaeger UI Database Kafka

55. 55 Post Processing Architecture Tracing – A journey to tactical

    insights Post Processing Kafka Apache Flink GraphDB Prometheus ElasticSearch

56. 56 Jaeger UI Tracing – A journey to tactical insights

57. 57 RED Metrics (Rate, Error and Duration) Tracing – A

    journey to tactical insights PUBLISHER_RATE_GENERATOR = PROB PUBLISHER_RATE = 3 SIMULATE_S3_BEHAVIOUR = PROBABILISTIC

58. 58 RED Metrics (Rate, Error and Duration) Tracing – A

    journey to tactical insights PUBLISHER_RATE_GENERATOR = PROB PUBLISHER_RATE = 3 SIMULATE_S3_BEHAVIOUR = CONST

59. 59 RED Metrics (Rate, Error and Duration) Tracing – A

    journey to tactical insights PUBLISHER_RATE_GENERATOR = PROB PUBLISHER_RATE = 3 SIMULATE_S3_BEHAVIOUR = ERROR

60. 60 Service Dependencies Tracing – A journey to tactical insights

61. 61 Data Scope Tracing – A journey to tactical insights

    Tag your spans child_of fellow_from child_of

62. 62 Apache Flink Tracing – A journey to tactical insights

    Apache Flink 1.10

63. 63 Apache Flink Tracing – A journey to tactical insights

    Apache Flink 1.10

64. 64 Apache Flink Tracing – A journey to tactical insights

    Processing Chain

65. 65 Apache Flink Tracing – A journey to tactical insights

    Processing Chain

66. 66 Apache Flink Tracing – A journey to tactical insights

    Processing Chain

67. 67 Apache Flink – CEP Pattern Tracing – A journey

    to tactical insights

68. 68 Final Words Tracing – A journey to tactical insights

    Your are invited to contact me: Florian.Kuckelkorn@gdata.de