“Technically advanced attackers often leave behind clue-based evidence of their activities, but uncovering them usually involves filtering through mountains of logs and telemetry. The application of big data analytics to this problem has become a necessity,” Cisco Security Solutions manager Pablo Salazar pointed out before announcing that the company is open sourcing its OpenSOC Big Data security analytics framework.
“The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly detection and incident forensics to the data loss problem,” he explained.
OpenSOC integrates elements of the Hadoop ecosystem such as Storm, Kafka, and Elasticsearch, and offers the following capabilities: full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real-time search, and telemetry aggregation.
The fact that all this data is provided through a centralized platform allows security analysts to detect the problems and react swiftly. The emphasis is on data delivery being executed “quickly” – in real-time, in fact – and all in one place so that analysts don’t need to check out numerous reports and sources and waste valuable time going through unstructured data.
“As an open source solution, OpenSOC opens the door for any organization to create an incident detection tool specific to their needs,” Salazar pointed out.
“The framework is highly extensible: any organization can customize their incident investigation process. It can be tailored to ingest and view any type of telemetry, whether it is for specialized medical equipment or custom-built point of sale devices. By leveraging Hadoop, OpenSOC also has the foundational building blocks to horizontally scale the amount of data it collects, stores, and analyzes based on the needs of the network.”