Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open Security Operations Center

James Sirota
June 03, 2014
Programming
3
790

Open Security Operations Center

Turn your Big Data Platform into a Security Analytics Platform. Presented at Hadoop Summit

James Sirota

June 03, 2014
Tweet

More Decks by James Sirota

See All by James Sirota
Detecting Hacks: Anomaly Detection on Networking Data
jsirota
4
230

Other Decks in Programming

See All in Programming
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
440
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
680
Elm 0.19.0 Changes
bkuhlmann
0
510
Fragment Composition of GraphQL
quramy
13
1.4k
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
720
Apache Hive 4 on Treasure Data
ryukobayashi
1
420
Let's learn code review
riofujimon
2
570
雑に思考を整理する技術と効能
konifar
63
30k
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
180
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
110
新宿ダンジョンを可視化してみた
satoshi7190
3
380

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
133
6.3k
Embracing the Ebb and Flow
colly
80
4.2k
Typedesign – Prime Four
hannesfritz
36
2.1k
RailsConf 2023
tenderlove
8
550
For a Future-Friendly Web
brad_frost
172
9k
Building an army of robots
kneath
300
41k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Writing Fast Ruby
sferik
622
60k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Navigating Team Friction
lara
179
13k
It's Worth the Effort
3n
180
27k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k

Transcript

  1. OpenSOC

  2. 2 §  Problem Statement & Business Case for OpenSOC § 

    Solution Architecture and Design §  Best Practices and Lessons Learned §  Q & A Over Next Few Minutes

  3. 3 Business Case

  4. 4 “There's now a growing sense of fatalism: It's no

    longer if or when you get hacked, but the assumption is that you've already been hacked, with a focus on minimizing the damage.” Source: Dark Reading / Security’s New Reality: Assume The Worst

  5. 5 Breaches Happen in Hours…

  6. 6 Cisco Global Cloud Index Source: 2014 Cisco Global Cloud

    Index

  7. 7 Introducing OpenSOC

  8. 8 OpenSOC Journey Sept 2013 First Prototype Dec 2013 Hortonworks

    joins the project March 2014 Platform development finished Sept 2014 General Availability May 2014 CR Work off April 2014 First beta test at customer site

  9. 9 Solution Architecture & Design

  10. 10 OpenSOC Conceptual Architecture Raw Network Stream Network Metadata Stream

    Netflow Syslog Raw Application Logs Other Streaming Telemetry Hive HBase Raw Packet Store Long-Term Store Elastic Search Real-Time Index Network Packet Mining and PCAP Reconstruction Log Mining and Analytics Big Data Exploration, Predictive Modeling Applications + Analyst Tools Parse + Format Enrich Alert Threat Intelligence Feeds Enrichment Data

  11. 11 §  Raw Network Packet Capture, Store, Traffic Reconstruction § 

    Telemetry Ingest, Enrichment and Real-Time Rules-Based Alerts §  Real-Time Telemetry Search and Cross-Telemetry Matching §  Automated Reports, Anomaly Detection and Anomaly Alerts §  Rich Analytics Apps and Integration with Existing Analytics Tools Key Functional Capabilities

  12. 12 §  Fully-Backed by Cisco and Used Internally for Multiple

    Customers §  Free, Open Source and Apache Licensed §  Built on Highly-Scalable and Proven Platforms (Hadoop, Kafka, Storm) §  Extensible and Pluggable Design §  Flexible Deployment Model (On-Premise or Cloud) §  Centralize your processes, people and data The OpenSOC Advantage

  13. 13 OpenSOC Deployment at Cisco Hardware footprint (40u) §  14

    Data Nodes (UCS C240 M3) §  3 Cluster Control Nodes (UCS C220 M3) §  2 ESX Hypervisor Hosts (UCS C220 M3) §  1 PCAP Processor (UCS C220 M3 + Napatech NIC) §  2 SourceFire Threat alert processors §  1 Anue Network Traffic splitter §  1 Router §  1 48 Port 10GE Switch Software Stack § HDP 2.1 § Kafka 0.8 § Elastic Search 1.1 § MySQL 5.5

  14. 14 OpenSOC - Stitching Things Together Access Messaging System Data

    Collection Source Systems Storage Real Time Processing Storm Kafka B Topic N Topic Elastic Search Index Web Services Search PCAP Reconstruction HBase PCAP Table Analytic Tools R / Python Power Pivot Tableau Hive Raw Data ORC Passive Tap PCAP Topic DPI Topic A Topic Telemetry Sources Syslog HTTP File System Other Flume Agent A Agent B Agent N B Topology N Topology A Topology PCAP Traffic Replicator PCAP Topology DPI Topology

  15. 15 OpenSOC - Stitching Things Together Access Messaging System Data

    Collection Source Systems Storage Real Time Processing Storm Kafka B Topic N Topic Elastic Search Index Web Services Search PCAP Reconstruction HBase PCAP Table Analytic Tools R / Python Power Pivot Tableau Hive Raw Data ORC Passive Tap PCAP Topic DPI Topic A Topic Telemetry Sources Syslog HTTP File System Other Flume Agent A Agent B Agent N B Topology N Topology A Topology PCAP Traffic Replicator Deeper Look PCAP Topology DPI Topology

  16. 16 PCAP Topology Storage Real Time Processing Storm Elastic Search

    Index HBase PCAP Table Hive Raw Data ORC Kafka Spout Parser Bolt HDFS Bolt HBase Bolt ES Bolt

  17. 17 DPI Topology & Telemetry Enrichment Storage Real Time Processing

    Storm Elastic Search Index HBase PCAP Table Hive Raw Data ORC Kafka Spout Parser Bolt GEO Enrich Whois Enrich CIF Enrich HDFS Bolt ES Bolt

  18. 18 Enrichments Parser Bolt GEO Enrich RAW Message {! “msg_key1”:

    “msg value1”,! “src_ip”: “10.20.30.40”,! “dest_ip”: “20.30.40.50”,! “domain”: “mydomain.com”! }! Who Is Enrich "geo":[ {"region":"CA",! "postalCode":"95134",! "areaCode":"408",! "metroCode":"807",! "longitude":-121.946,! "latitude":37.425,! "locId":4522,! "city":"San Jose",! "country":"US"! }]! CIF Enrich "whois":[ {! "OrgId":"CISCOS",! "Parent":"NET-144-0-0-0-0",! "OrgAbuseName":"Cisco Systems Inc",! "RegDate":"1991-01-171991-01-17",! "OrgName":"Cisco Systems",! "Address":"170 West Tasman Drive",! "NetType":"Direct Assignment"! } ],! “cif”:”Yes”! Enriched Message Cache MySQL Geo Lite Data Cache HBase Who Is Data Cache HBase CIF Data

  19. 19 Applications: Telemetry Matching and DPI Step1: Search Step2: Match

    Step3: Analyze Step4: Build PCAP

  20. 20 Integration with Analytics Tools Dashboards Reports

  21. 21 Best Practices

  22. 22 Journey Towards Highly Scalable Application

  23. 23 Kafka Tuning

  24. 24 This is where we began

  25. 25 Some code optimizations and increased parallelism

  26. 26 §  Is Disk I/O heavy §  Kafka 0.8+ supports

    replication and JBOD §  Better performance compared to RAID §  Parallelism is largely driven by number of disks and partitions per topic §  Key configuration parameters: §  num.io.threads - Keep it at least equal to number of disks provided to Kafka §  num.network.threads - adjust it based on number of concurrent producers, consumers and replication factor Kafka Tuning

  27. 27 After Kafka Tuning

  28. 28 Bottleneck Isolation, Resource Profiling, Load Balancing

  29. 29 HBase Tuning

  30. 30 This is where we began

  31. 31 §  Row Key design is critical (gets or scans

    or both?) §  Keys with IP Addresses §  Standard IP addresses have only two variations of the first character : 1 & 2 §  Minimum key length will be 7 characters and max 15 with a typical average of 12 §  Subnet range scans become difficult – range of 90 to 220 excludes 112 §  IP converted to hex (10.20.30.40 => 0a141e28) §  gives 16 variations of first key character §  consistently 8 character key §  Easy to search for subnet ranges Row Key Design

  32. 32 Experiments with Row Key

  33. 33 §  Know your data §  Auto split under high

    workload can result into hotspots and split storms §  Understand your data and presplit the regions §  Identify how many regions a RS can have to perform optimally. Use the formula below (RS memory)*(total memstore fraction)/((memstore size)*(# column families))! Region Splits

  34. 34 With Region Pre-Splits

  35. 35 §  Enable Micro Batching (client side buffer) §  Smart

    shuffle/grouping in storm §  Understand your data and situationally exploit various WAL options §  Watch for many minor compactions §  For heavy ‘write’ workload Increase hbase.hstore.blockingStoreFiles (we used 200) Know Your Application

  36. 36 And Finally

  37. 37 Kafka Spout

  38. 38 §  Parallelism is controlled by number of partitions per

    topic §  Set Kafka spout parallelism equal to number of partitions in topic §  Other key parameters that drive performance §  fetchSizeBytes! §  bufferSizeBytes! Kafka Spout

  39. 39 Mysteriously Missing Data

  40. 40 §  A bug in Kafka spout that used to

    miss out some partitions and loose data §  It is now fixed and available from Hortonworks repository ( http://repo.hortonworks.com/content/repositories/releases/org/apache/ storm/storm-Kafka ) Mysteriously Missing Data Root Cause

  41. 41 Storm

  42. 42 §  Every small thing counts at scale §  Even

    simple string operations can slowdown throughput when executed on millions of Tuples Storm

  43. 43 §  Error handling is critical §  Poorly handled errors

    can lead to topology failure and eventually loss of data (or data duplication) Storm

  44. 44 §  Tune & Scale individual spout and bolts before

    performance testing/tuning entire topology §  Write your own simple data generator spouts and no-op bolts §  Making as many things configurable as possible helps a lot Storm

  45. 45 §  When it comes to Hadoop…partner up §  Separate

    the hype from the opportunity §  Start small then scale up §  Design Iteratively §  It doesn’t work unless you have proven it at scale §  Keep an eye on ROI Lessons Learned

  46. 46 How can you contribute? §  Technology Partner Program –

    contribute developers to join the Cisco and Hortonworks team Looking for Community Partners

  47. Thank you! We are hiring: [email protected] [email protected]