SlideShare a Scribd company logo

Apache Metron in the Real World

Dave Russell
Dave Russell

Dave Russell - Presented at Big Data Vilnius 27-29th November 2018 https://www.bigdataconference.lt/

Technology
1 of 49
Download to read offline
1 © Hortonworks Inc. 2011–2018. All rights reserved 27-29 November, Vilnius Apache Metron in the Real World Dave Russell - Hortonworks www.roaringelephant.org
2 © Hortonworks Inc. 2011–2018. All rights reserved Who am I?
3 © Hortonworks Inc. 2011–2018. All rights reserved
4 © Hortonworks Inc. 2011–2018. All rights reserved Why Apache Metron?
5 © Hortonworks Inc. 2011–2018. All rights reserved Months until breach noticed Avg. months log retention 9 6 VS 3 Months missing
6 © Hortonworks Inc. 2011–2018. All rights reserved 28 Months Police One/Berkut Yahoo/FSB FB/Cambridge Analytica 35 Months 48 Months Time until breach actually noticed
7 © Hortonworks Inc. 2011–2018. All rights reserved “Sometime in the next few years we're going to have our first category-one cyber-incident; one that will need a national response.” Ian Levy Technical Director National Cyber Security Centre
8 © Hortonworks Inc. 2011–2018. All rights reserved Andhra Pradesh Police, India Aristotle University of Thessaloniki, Greece Automobile Dacia, Romania Cambrian College, Canada Chinese public security bureau CJ CGV Dalian Maritime University Deutsche Bahn Dharmais Hospital, Indonesia Faculty Hospital, Nitra, Slovakia FedEx Garena Blade and Soul Guilin University Of Aerospace Technology Guilin University Of Electronic Technology Harapan Kita Hospital[disambiguation needed], IndonesiaHezhou University Sandvik São Paulo Court of Justice Saudi Telecom Company Sberbank Shandong University State Governments of India Government of Gujarat Government of Kerala Government of Maharashtra Government of West Bengal Suzhou Vehicle Administration Sun Yat-sen University, China Telefónica Telenor Hungary, Hungary Telkom (South Africa) Timrå Municipality, Sweden Universitas Jember, Indonesia University of Milano-Bicocca, Italy University of Montreal, Canada Vivo, Brazil Hitachi Honda Instituto Nacional de Salud, Colombia Lakeridge Health LAKS LATAM Airlines Group MegaFon Ministry of Internal Affairs of the Russian Federation Ministry of Foreign Affairs (Romania) National Health Service (England) NHS Scotland Nissan Motor Manufacturing UK O2, Germany Petrobrás PetroChina Portugal Telecom Pulse FM Q-Park Renault Russian Railways
9 © Hortonworks Inc. 2011–2018. All rights reserved 2018 so far... 340M Records 150M Records 92M Records And many, many, many more.. https://en.wikipedia.org/wiki/List_of_data_ breaches
10 © Hortonworks Inc. 2011–2018. All rights reserved What Does Apache Metron Look Like?
11 © Hortonworks Inc. 2011–2018. All rights reserved Security telemetry source: authentication logsSecurity telemetry source: authentication logs
12 © Hortonworks Inc. 2011–2018. All rights reserved
13 © Hortonworks Inc. 2011–2018. All rights reserved
14 © Hortonworks Inc. 2011–2018. All rights reserved
15 © Hortonworks Inc. 2011–2018. All rights reserved What is Apache Metron?
16 © Hortonworks Inc. 2011–2018. All rights reserved Built on top on proven open source big data technology
17 © Hortonworks Inc. 2011–2018. All rights reserved An architecture for real-time cybersecurity analytics
18 © Hortonworks Inc. 2011–2018. All rights reserved Telemetry Data Source
19 © Hortonworks Inc. 2011–2018. All rights reserved Telemetry Data Collectors
20 © Hortonworks Inc. 2011–2018. All rights reserved Cyber Security Stream Processing Pipeline
21 © Hortonworks Inc. 2011–2018. All rights reserved Profiling by time t = 1 t = 2 t = 3 t = n Wide range of algorithms including: à HyperLogLogPlus à Bloom filters à T-digests à Statistical Baselining à Hashing functions à Outlier detection à GeoHashing over time à Locality Sensitive HashingApprox. Data Sketch Approx. Data Sketch Approx. Data Sketch Approx. Data Sketch Combined Baseline Statistic
22 © Hortonworks Inc. 2011–2018. All rights reserved Cyber Security Stream Processing Pipeline
23 © Hortonworks Inc. 2011–2018. All rights reserved Apache Metron Modules
24 © Hortonworks Inc. 2011–2018. All rights reserved Who is Using Apache Metron (Part 1)
25 © Hortonworks Inc. 2011–2018. All rights reserved
26 © Hortonworks Inc. 2011–2018. All rights reserved
27 © Hortonworks Inc. 2011–2018. All rights reserved
28 © Hortonworks Inc. 2011–2018. All rights reserved The Wider Apache Metron Ecosystem
29 © Hortonworks Inc. 2011–2018. All rights reserved
30 © Hortonworks Inc. 2011–2018. All rights reserved Who is Using Apache Metron (Part 2)
31 © Hortonworks Inc. 2011–2018. All rights reserved
32 © Hortonworks Inc. 2011–2018. All rights reserved
33 © Hortonworks Inc. 2011–2018. All rights reserved
34 © Hortonworks Inc. 2011–2018. All rights reserved
35 © Hortonworks Inc. 2011–2018. All rights reserved Deploying Apache Metron
36 © Hortonworks Inc. 2011–2018. All rights reserved AD/AssetDB/HR/Threat HDF HDFS NiFi - Ingest HDP Phase 0 – Current State ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets 3 1 2 4 5
37 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Investigator UI HDP Phase 1 - Ingest and Archive ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis 10 6 8 7 9 11 12 13 Banana
38 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Enrichment Data Investigator UI HDP Phase 2 – Enrich and Threat Intel ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis 14 Banana / Kibana / ZoomData
39 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Enrichment Data Metron Profiler Triage Alert Investigator UI HDP Phase 3 – NiFi Data Ingestion + Analytics / UEBA Profiling ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis Source Data (via NiFi) 15 16 Banana
40 © Hortonworks Inc. 2011–2018. All rights reserved HDF Source Data (via NiFi) Zeppelin HDFS Spark Historical Analysis Model as a Service NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Automated Response Solr Enrichment Data Netflow / PCAP / Snort (Kafka direct) Metron Profiler Triage Alert Investigator UI HDP Phase 4 – ArcSight Logger Migration + New Data Sources ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets Banana AD/AssetDB/HR/Threat 17 18 19 20
41 © Hortonworks Inc. 2011–2018. All rights reserved Considerations for Sizing Apache Metron
42 © Hortonworks Inc. 2011–2018. All rights reserved • Events per second (average and peak) • Retention time for Hot / Warm / Cold zones • Enrichments • Node sizing • I/O Considerations • PCAP? Sizing an HCP deployment
43 © Hortonworks Inc. 2011–2018. All rights reserved 3 Months Hot Warm Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~3 months
44 © Hortonworks Inc. 2011–2018. All rights reserved 12 Months Hot Warm Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months
45 © Hortonworks Inc. 2011–2018. All rights reserved Hot Warm Cold Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months Cold HDFS layer +12 months 24 Months
46 © Hortonworks Inc. 2011–2018. All rights reserved Cold Beyond 24 months Hot Warm ColdColdColdCold Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months Cold HDFS layer +12 months
47 © Hortonworks Inc. 2011–2018. All rights reserved Questions?
48 © Hortonworks Inc. 2011–2018. All rights reserved
49 © Hortonworks Inc. 2011–2018. All rights reserved Appendix

Recommended

Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Lucidworks
 
Apache Metron Profiler - Cyber Bootcamp 2017
Apache Metron Profiler - Cyber Bootcamp 2017Apache Metron Profiler - Cyber Bootcamp 2017
Apache Metron Profiler - Cyber Bootcamp 2017Nick Allen
 
Apache Metron - Profiler
Apache Metron - ProfilerApache Metron - Profiler
Apache Metron - ProfilerNick Allen
 
Apache metron meetup presentation at capital one
Apache metron meetup presentation at capital oneApache metron meetup presentation at capital one
Apache metron meetup presentation at capital onegvetticaden
 
Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An IntroductionBaban Gaigole
 
Scalable and adaptable typosquatting detection in Apache Metron
Scalable and adaptable typosquatting detection in Apache MetronScalable and adaptable typosquatting detection in Apache Metron
Scalable and adaptable typosquatting detection in Apache MetronDataWorks Summit
 
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Carolyn Duby
 
Tracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache MetronTracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache MetronDataWorks Summit/Hadoop Summit
 

Recommended

Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...
Cybersecurity with Apache Metron and Apache Solr - Ward Bekker, Hortonworks &...Lucidworks
 
Apache Metron Profiler - Cyber Bootcamp 2017
Apache Metron Profiler - Cyber Bootcamp 2017Apache Metron Profiler - Cyber Bootcamp 2017
Apache Metron Profiler - Cyber Bootcamp 2017Nick Allen
 
Apache Metron - Profiler
Apache Metron - ProfilerApache Metron - Profiler
Apache Metron - ProfilerNick Allen
 
Apache metron meetup presentation at capital one
Apache metron meetup presentation at capital oneApache metron meetup presentation at capital one
Apache metron meetup presentation at capital onegvetticaden
 
Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An IntroductionBaban Gaigole
 
Scalable and adaptable typosquatting detection in Apache Metron
Scalable and adaptable typosquatting detection in Apache MetronScalable and adaptable typosquatting detection in Apache Metron
Scalable and adaptable typosquatting detection in Apache MetronDataWorks Summit
 
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...Carolyn Duby
 
Tracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache MetronTracing your security telemetry with Apache Metron
Tracing your security telemetry with Apache MetronDataWorks Summit/Hadoop Summit
 
A streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache MetronA streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache MetronSimon Elliston Ball
 
Solving Cyber at Scale
Solving Cyber at ScaleSolving Cyber at Scale
Solving Cyber at ScaleDataWorks Summit/Hadoop Summit
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchRichard Juknavorian
 
Open Networking
Open NetworkingOpen Networking
Open NetworkingTal Lavian Ph.D.
 
6. Kepware_IIoT_Solution
6. Kepware_IIoT_Solution6. Kepware_IIoT_Solution
6. Kepware_IIoT_SolutionSteve Lim
 
Big Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - TokyoBig Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - TokyoDataWorks Summit
 
Apache Spot
Apache SpotApache Spot
Apache SpotAustin Leahy
 
Manage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in HadoopManage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in HadoopDataWorks Summit
 
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...DataWorks Summit
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
 
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFiIntelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFiDataWorks Summit
 
Application performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stackApplication performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stackAlain Lompo
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniquesDataWorks Summit
 
Data torrent meetup-productioneng
Data torrent meetup-productionengData torrent meetup-productioneng
Data torrent meetup-productionengChris Westin
 
Introduction to Streaming Analytics Manager
Introduction to Streaming Analytics ManagerIntroduction to Streaming Analytics Manager
Introduction to Streaming Analytics ManagerYifeng Jiang
 
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFiReal-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFiTimothy Spann
 
Solving Cybersecurity at Scale
Solving Cybersecurity at ScaleSolving Cybersecurity at Scale
Solving Cybersecurity at ScaleDataWorks Summit
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackElasticsearch
 
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceA Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceStephen Collins
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Apache Metron in the Real World
Apache Metron in the Real WorldApache Metron in the Real World
Apache Metron in the Real WorldDataWorks Summit
 
Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security DataWorks Summit/Hadoop Summit
 

More Related Content

What's hot

A streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache MetronA streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache MetronSimon Elliston Ball
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchRichard Juknavorian
 
6. Kepware_IIoT_Solution
6. Kepware_IIoT_Solution6. Kepware_IIoT_Solution
6. Kepware_IIoT_SolutionSteve Lim
 
Big Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - TokyoBig Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - TokyoDataWorks Summit
 
Manage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in HadoopManage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in HadoopDataWorks Summit
 
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...DataWorks Summit
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
 
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFiIntelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFiDataWorks Summit
 
Application performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stackApplication performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stackAlain Lompo
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniquesDataWorks Summit
 
Data torrent meetup-productioneng
Data torrent meetup-productionengData torrent meetup-productioneng
Data torrent meetup-productionengChris Westin
 
Introduction to Streaming Analytics Manager
Introduction to Streaming Analytics ManagerIntroduction to Streaming Analytics Manager
Introduction to Streaming Analytics ManagerYifeng Jiang
 
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFiReal-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFiTimothy Spann
 
Solving Cybersecurity at Scale
Solving Cybersecurity at ScaleSolving Cybersecurity at Scale
Solving Cybersecurity at ScaleDataWorks Summit
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackElasticsearch
 
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceA Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceStephen Collins
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 

What's hot (20)

A streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache MetronA streaming architecture for Cyber Security - Apache Metron
A streaming architecture for Cyber Security - Apache Metron
 
Solving Cyber at Scale
Solving Cyber at ScaleSolving Cyber at Scale
Solving Cyber at Scale
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and Elasticsearch
 
Open Networking
Open NetworkingOpen Networking
Open Networking
 
6. Kepware_IIoT_Solution
6. Kepware_IIoT_Solution6. Kepware_IIoT_Solution
6. Kepware_IIoT_Solution
 
Big Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - TokyoBig Traffic, Big Trouble: Big Data - Tokyo
Big Traffic, Big Trouble: Big Data - Tokyo
 
Apache Spot
Apache SpotApache Spot
Apache Spot
 
Manage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in HadoopManage democratization of the data - Data Replication in Hadoop
Manage democratization of the data - Data Replication in Hadoop
 
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
Bringing it All Together: Apache Metron (Incubating) as a Case Study of a Mod...
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT Rodeo
 
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFiIntelligently Collecting Data at the Edge – Intro to Apache MiNiFi
Intelligently Collecting Data at the Edge – Intro to Apache MiNiFi
 
Application performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stackApplication performance monitoring with Elastic APM and the ELK stack
Application performance monitoring with Elastic APM and the ELK stack
 
Security event logging and monitoring techniques
Security event logging and monitoring techniquesSecurity event logging and monitoring techniques
Security event logging and monitoring techniques
 
Data torrent meetup-productioneng
Data torrent meetup-productionengData torrent meetup-productioneng
Data torrent meetup-productioneng
 
Introduction to Streaming Analytics Manager
Introduction to Streaming Analytics ManagerIntroduction to Streaming Analytics Manager
Introduction to Streaming Analytics Manager
 
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFiReal-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
Real-time Twitter Sentiment Analysis and Image Recognition with Apache NiFi
 
Solving Cybersecurity at Scale
Solving Cybersecurity at ScaleSolving Cybersecurity at Scale
Solving Cybersecurity at Scale
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
 
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceA Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 

Similar to Apache Metron in the Real World

Apache Metron in the Real World
Apache Metron in the Real WorldApache Metron in the Real World
Apache Metron in the Real WorldDataWorks Summit
 
Unlocking insights in streaming data
Unlocking insights in streaming dataUnlocking insights in streaming data
Unlocking insights in streaming dataCarolyn Duby
 
Big Traffic, Big Trouble: Big Data Security Analytics
Big Traffic, Big Trouble: Big Data Security AnalyticsBig Traffic, Big Trouble: Big Data Security Analytics
Big Traffic, Big Trouble: Big Data Security AnalyticsDataWorks Summit
 
Fast Access to Your Data - Avro, JSON, ORC, and Parquet
Fast Access to Your Data - Avro, JSON, ORC, and ParquetFast Access to Your Data - Avro, JSON, ORC, and Parquet
Fast Access to Your Data - Avro, JSON, ORC, and ParquetOwen O'Malley
 
Make Streaming IoT Analytics Work for You
Make Streaming IoT Analytics Work for YouMake Streaming IoT Analytics Work for You
Make Streaming IoT Analytics Work for YouHortonworks
 
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad Guys
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad GuysCatch a Hacker in Real-Time: Live Visuals of Bots and Bad Guys
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad GuysHortonworks
 
Johns Hopkins - Using Hadoop to Secure Access Log Events
Johns Hopkins - Using Hadoop to Secure Access Log EventsJohns Hopkins - Using Hadoop to Secure Access Log Events
Johns Hopkins - Using Hadoop to Secure Access Log EventsHortonworks
 
Enterprise IIoT Edge Processing with Apache NiFi
Enterprise IIoT Edge Processing with Apache NiFiEnterprise IIoT Edge Processing with Apache NiFi
Enterprise IIoT Edge Processing with Apache NiFiTimothy Spann
 
State of the Apache NiFi Ecosystem & Community
State of the Apache NiFi Ecosystem & CommunityState of the Apache NiFi Ecosystem & Community
State of the Apache NiFi Ecosystem & CommunityAccumulo Summit
 
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方HortonworksJapan
 
SAM—streaming analytics made easy
SAM—streaming analytics made easySAM—streaming analytics made easy
SAM—streaming analytics made easyDataWorks Summit
 
Apache NiFi MiNiFi C++ and the tale of edgey stuff
Apache NiFi MiNiFi C++ and the tale of edgey stuffApache NiFi MiNiFi C++ and the tale of edgey stuff
Apache NiFi MiNiFi C++ and the tale of edgey stuffMarc Parisi
 
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San Jose
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San JoseDataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San Jose
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San JoseAldrin Piri
 
Social Media Monitoring with NiFi, Druid and Superset
Social Media Monitoring with NiFi, Druid and SupersetSocial Media Monitoring with NiFi, Druid and Superset
Social Media Monitoring with NiFi, Druid and SupersetThiago Santiago
 
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...DataWorks Summit
 
Apache NiFi Crash Course - San Jose Hadoop Summit
Apache NiFi Crash Course - San Jose Hadoop SummitApache NiFi Crash Course - San Jose Hadoop Summit
Apache NiFi Crash Course - San Jose Hadoop SummitAldrin Piri
 

Similar to Apache Metron in the Real World (20)

Apache Metron in the Real World
Apache Metron in the Real WorldApache Metron in the Real World
Apache Metron in the Real World
 
Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security
 
Hadoop Summit Tokyo Apache NiFi Crash Course
Hadoop Summit Tokyo Apache NiFi Crash CourseHadoop Summit Tokyo Apache NiFi Crash Course
Hadoop Summit Tokyo Apache NiFi Crash Course
 
Unlocking insights in streaming data
Unlocking insights in streaming dataUnlocking insights in streaming data
Unlocking insights in streaming data
 
Big Traffic, Big Trouble: Big Data Security Analytics
Big Traffic, Big Trouble: Big Data Security AnalyticsBig Traffic, Big Trouble: Big Data Security Analytics
Big Traffic, Big Trouble: Big Data Security Analytics
 
Fast Access to Your Data - Avro, JSON, ORC, and Parquet
Fast Access to Your Data - Avro, JSON, ORC, and ParquetFast Access to Your Data - Avro, JSON, ORC, and Parquet
Fast Access to Your Data - Avro, JSON, ORC, and Parquet
 
Make Streaming IoT Analytics Work for You
Make Streaming IoT Analytics Work for YouMake Streaming IoT Analytics Work for You
Make Streaming IoT Analytics Work for You
 
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad Guys
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad GuysCatch a Hacker in Real-Time: Live Visuals of Bots and Bad Guys
Catch a Hacker in Real-Time: Live Visuals of Bots and Bad Guys
 
#HSTokyo16 Apache Spark Crash Course
#HSTokyo16 Apache Spark Crash Course #HSTokyo16 Apache Spark Crash Course
#HSTokyo16 Apache Spark Crash Course
 
Johns Hopkins - Using Hadoop to Secure Access Log Events
Johns Hopkins - Using Hadoop to Secure Access Log EventsJohns Hopkins - Using Hadoop to Secure Access Log Events
Johns Hopkins - Using Hadoop to Secure Access Log Events
 
Apache Spark Crash Course
Apache Spark Crash CourseApache Spark Crash Course
Apache Spark Crash Course
 
Enterprise IIoT Edge Processing with Apache NiFi
Enterprise IIoT Edge Processing with Apache NiFiEnterprise IIoT Edge Processing with Apache NiFi
Enterprise IIoT Edge Processing with Apache NiFi
 
State of the Apache NiFi Ecosystem & Community
State of the Apache NiFi Ecosystem & CommunityState of the Apache NiFi Ecosystem & Community
State of the Apache NiFi Ecosystem & Community
 
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方
Apache NiFi + Tensorflow + Hadoop: Big Data AI サンドイッチの作り方
 
SAM—streaming analytics made easy
SAM—streaming analytics made easySAM—streaming analytics made easy
SAM—streaming analytics made easy
 
Apache NiFi MiNiFi C++ and the tale of edgey stuff
Apache NiFi MiNiFi C++ and the tale of edgey stuffApache NiFi MiNiFi C++ and the tale of edgey stuff
Apache NiFi MiNiFi C++ and the tale of edgey stuff
 
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San Jose
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San JoseDataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San Jose
Dataflow with Apache NiFi - Apache NiFi Meetup - 2016 Hadoop Summit - San Jose
 
Social Media Monitoring with NiFi, Druid and Superset
Social Media Monitoring with NiFi, Druid and SupersetSocial Media Monitoring with NiFi, Druid and Superset
Social Media Monitoring with NiFi, Druid and Superset
 
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...
IIoT + Predictive Analytics: Solving for Disruption in Oil & Gas and Energy &...
 
Apache NiFi Crash Course - San Jose Hadoop Summit
Apache NiFi Crash Course - San Jose Hadoop SummitApache NiFi Crash Course - San Jose Hadoop Summit
Apache NiFi Crash Course - San Jose Hadoop Summit
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 

Apache Metron in the Real World

  • 1. 1 © Hortonworks Inc. 2011–2018. All rights reserved 27-29 November, Vilnius Apache Metron in the Real World Dave Russell - Hortonworks www.roaringelephant.org
  • 2. 2 © Hortonworks Inc. 2011–2018. All rights reserved Who am I?
  • 3. 3 © Hortonworks Inc. 2011–2018. All rights reserved
  • 4. 4 © Hortonworks Inc. 2011–2018. All rights reserved Why Apache Metron?
  • 5. 5 © Hortonworks Inc. 2011–2018. All rights reserved Months until breach noticed Avg. months log retention 9 6 VS 3 Months missing
  • 6. 6 © Hortonworks Inc. 2011–2018. All rights reserved 28 Months Police One/Berkut Yahoo/FSB FB/Cambridge Analytica 35 Months 48 Months Time until breach actually noticed
  • 7. 7 © Hortonworks Inc. 2011–2018. All rights reserved “Sometime in the next few years we're going to have our first category-one cyber-incident; one that will need a national response.” Ian Levy Technical Director National Cyber Security Centre
  • 8. 8 © Hortonworks Inc. 2011–2018. All rights reserved Andhra Pradesh Police, India Aristotle University of Thessaloniki, Greece Automobile Dacia, Romania Cambrian College, Canada Chinese public security bureau CJ CGV Dalian Maritime University Deutsche Bahn Dharmais Hospital, Indonesia Faculty Hospital, Nitra, Slovakia FedEx Garena Blade and Soul Guilin University Of Aerospace Technology Guilin University Of Electronic Technology Harapan Kita Hospital[disambiguation needed], IndonesiaHezhou University Sandvik São Paulo Court of Justice Saudi Telecom Company Sberbank Shandong University State Governments of India Government of Gujarat Government of Kerala Government of Maharashtra Government of West Bengal Suzhou Vehicle Administration Sun Yat-sen University, China Telefónica Telenor Hungary, Hungary Telkom (South Africa) Timrå Municipality, Sweden Universitas Jember, Indonesia University of Milano-Bicocca, Italy University of Montreal, Canada Vivo, Brazil Hitachi Honda Instituto Nacional de Salud, Colombia Lakeridge Health LAKS LATAM Airlines Group MegaFon Ministry of Internal Affairs of the Russian Federation Ministry of Foreign Affairs (Romania) National Health Service (England) NHS Scotland Nissan Motor Manufacturing UK O2, Germany Petrobrás PetroChina Portugal Telecom Pulse FM Q-Park Renault Russian Railways
  • 9. 9 © Hortonworks Inc. 2011–2018. All rights reserved 2018 so far... 340M Records 150M Records 92M Records And many, many, many more.. https://en.wikipedia.org/wiki/List_of_data_ breaches
  • 10. 10 © Hortonworks Inc. 2011–2018. All rights reserved What Does Apache Metron Look Like?
  • 11. 11 © Hortonworks Inc. 2011–2018. All rights reserved Security telemetry source: authentication logsSecurity telemetry source: authentication logs
  • 12. 12 © Hortonworks Inc. 2011–2018. All rights reserved
  • 13. 13 © Hortonworks Inc. 2011–2018. All rights reserved
  • 14. 14 © Hortonworks Inc. 2011–2018. All rights reserved
  • 15. 15 © Hortonworks Inc. 2011–2018. All rights reserved What is Apache Metron?
  • 16. 16 © Hortonworks Inc. 2011–2018. All rights reserved Built on top on proven open source big data technology
  • 17. 17 © Hortonworks Inc. 2011–2018. All rights reserved An architecture for real-time cybersecurity analytics
  • 18. 18 © Hortonworks Inc. 2011–2018. All rights reserved Telemetry Data Source
  • 19. 19 © Hortonworks Inc. 2011–2018. All rights reserved Telemetry Data Collectors
  • 20. 20 © Hortonworks Inc. 2011–2018. All rights reserved Cyber Security Stream Processing Pipeline
  • 21. 21 © Hortonworks Inc. 2011–2018. All rights reserved Profiling by time t = 1 t = 2 t = 3 t = n Wide range of algorithms including: à HyperLogLogPlus à Bloom filters à T-digests à Statistical Baselining à Hashing functions à Outlier detection à GeoHashing over time à Locality Sensitive HashingApprox. Data Sketch Approx. Data Sketch Approx. Data Sketch Approx. Data Sketch Combined Baseline Statistic
  • 22. 22 © Hortonworks Inc. 2011–2018. All rights reserved Cyber Security Stream Processing Pipeline
  • 23. 23 © Hortonworks Inc. 2011–2018. All rights reserved Apache Metron Modules
  • 24. 24 © Hortonworks Inc. 2011–2018. All rights reserved Who is Using Apache Metron (Part 1)
  • 25. 25 © Hortonworks Inc. 2011–2018. All rights reserved
  • 26. 26 © Hortonworks Inc. 2011–2018. All rights reserved
  • 27. 27 © Hortonworks Inc. 2011–2018. All rights reserved
  • 28. 28 © Hortonworks Inc. 2011–2018. All rights reserved The Wider Apache Metron Ecosystem
  • 29. 29 © Hortonworks Inc. 2011–2018. All rights reserved
  • 30. 30 © Hortonworks Inc. 2011–2018. All rights reserved Who is Using Apache Metron (Part 2)
  • 31. 31 © Hortonworks Inc. 2011–2018. All rights reserved
  • 32. 32 © Hortonworks Inc. 2011–2018. All rights reserved
  • 33. 33 © Hortonworks Inc. 2011–2018. All rights reserved
  • 34. 34 © Hortonworks Inc. 2011–2018. All rights reserved
  • 35. 35 © Hortonworks Inc. 2011–2018. All rights reserved Deploying Apache Metron
  • 36. 36 © Hortonworks Inc. 2011–2018. All rights reserved AD/AssetDB/HR/Threat HDF HDFS NiFi - Ingest HDP Phase 0 – Current State ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets 3 1 2 4 5
  • 37. 37 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Investigator UI HDP Phase 1 - Ingest and Archive ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis 10 6 8 7 9 11 12 13 Banana
  • 38. 38 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Enrichment Data Investigator UI HDP Phase 2 – Enrich and Threat Intel ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis 14 Banana / Kibana / ZoomData
  • 39. 39 © Hortonworks Inc. 2011–2018. All rights reserved HDF Zeppelin HDFS NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Solr Enrichment Data Metron Profiler Triage Alert Investigator UI HDP Phase 3 – NiFi Data Ingestion + Analytics / UEBA Profiling ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets AD/AssetDB/HR/Threat Spark Historical Analysis Source Data (via NiFi) 15 16 Banana
  • 40. 40 © Hortonworks Inc. 2011–2018. All rights reserved HDF Source Data (via NiFi) Zeppelin HDFS Spark Historical Analysis Model as a Service NiFi - Ingest Kafka MQ Storm Parse / Enrich / GeoIP / Index Automated Response Solr Enrichment Data Netflow / PCAP / Snort (Kafka direct) Metron Profiler Triage Alert Investigator UI HDP Phase 4 – ArcSight Logger Migration + New Data Sources ADP Event Broker (Kafka) ADP Smart Connectors ADP Logger ArcSight ESM Security Assets Banana AD/AssetDB/HR/Threat 17 18 19 20
  • 41. 41 © Hortonworks Inc. 2011–2018. All rights reserved Considerations for Sizing Apache Metron
  • 42. 42 © Hortonworks Inc. 2011–2018. All rights reserved • Events per second (average and peak) • Retention time for Hot / Warm / Cold zones • Enrichments • Node sizing • I/O Considerations • PCAP? Sizing an HCP deployment
  • 43. 43 © Hortonworks Inc. 2011–2018. All rights reserved 3 Months Hot Warm Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~3 months
  • 44. 44 © Hortonworks Inc. 2011–2018. All rights reserved 12 Months Hot Warm Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months
  • 45. 45 © Hortonworks Inc. 2011–2018. All rights reserved Hot Warm Cold Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months Cold HDFS layer +12 months 24 Months
  • 46. 46 © Hortonworks Inc. 2011–2018. All rights reserved Cold Beyond 24 months Hot Warm ColdColdColdCold Fast indexed layer (Solr / ES) ~3 months Warm HDFS layer ~12 months Cold HDFS layer +12 months
  • 47. 47 © Hortonworks Inc. 2011–2018. All rights reserved Questions?
  • 48. 48 © Hortonworks Inc. 2011–2018. All rights reserved
  • 49. 49 © Hortonworks Inc. 2011–2018. All rights reserved Appendix