Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment: Cyber Security Information and Event Management Presenter: Dr. Jim Murray, Technical Staff, HBB Systems, LLC Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.

1. Cyber Security Information
and Event Management
Copyright © 2012, Oracle and/or its affiliates. 1 All rights reserved.
Dr. Jim Murray
HHB Systems LLC
jim.murray@thehhb.com
10/23/2014

2. Copyright © 2012, Oracle and/or its affiliates. 2 All rights reserved.
New Cyber Innovation outperforms
“Business as Usual”
Moving away from
“Business As
Usual” to …
Oracle Technologies applied to Cyber:
Mission
Improvements
· 5 years of cyber data online at ¼ the cost
· Perform queries in seconds to minutes (vs hours or days)
· Collect “all” data & look for all indicators, (versus data triage)
· Handle 100-200k EPS with a standard configuration
· Analysts gain valuable time to react and predict
Cost Reductions
· Save $5-$15 million on Cyber deployments
· 70% less TCO over 5 years
· Reduce hardware costs 50%
· Show 10 month or less for Return on Investments (ROI)
Operational
Efficiencies
· 75% Less Power & Cooling
· 70% Less Floor Space
· 4-5x More Usable Disk
· 86% Less Integration Cost
· 83% Less Cores needed, yet 1000% better response time

3. Copyright © 2012, Oracle and/or its affiliates. 3 All rights reserved.
Customer Challenges and
Metrics • Audit retention and forensic investigation
• The existing ESM appliances only retain 14 days of data and analysts are forced to use
logger searches which take up to 10 hours for a 7 day query.
• It would take 4 days to conduct a month long query. This makes year long queries impractical
and 5 year investigations nearly impossible.
• Logger archives must be used in the same configuration that they were saved as. A logger
must be rebuilt to accommodate the version in which that the archive was saved.
• The archive that is imported is un-indexed and query performance will be 10 times slower.
• A typical logger forensic archive import scenario will take over 8 hours per archive to import
and search.
• Example Metrics Seen by customers
• Approx 40 Minutes to open active channels reports with 5,000-8,000 Events Per Second
(EPS)
• 6 hour for report completion if they ever do finish at all
• Enterprise Security Manager (ESM) content limited to 30 days
• Only 14 days of ESM events captured
• Unable to accommodate all potential users of the system or handle future requirements

4. Copyright © 2012, Oracle and/or its affiliates. 4 All rights reserved.
ArcSight Security Information and
Event Management
Before Engineered Systems
Approach:
•To avoid archive imports, it would
take 50 load balanced loggers to
accomplish the same job for the
forecasted EPS but without Oracle
Exadata performance, compression,
deployment time, etc..
•At a cost of $100,000.00 each, the
price would be $5 million not including
the additional manpower required for
operations and maintenance + $5m
for 5 yrs storage
After Engineered Systems
Approach:
•The simplicity of the ~$2.5M
Engineered System of SuperCluster,
Storage Backup Appliance, reduced
installation time, etc.

5. Copyright © 2012, Oracle and/or its affiliates. 5 All rights reserved.
Cyber Event Detection and
Simultaneous Query
BEFORE
• IC Customer current baseline achieving 3500
Events per Second Max ingest on ArcSight
System
• Largest Scale ArcSight reported was 20,000
EPS at 15 minute response times
• Average query response to Console of
Indexed/NonIndexed reports took 35-45 Min.
• Goal was 1PB Total Store (622B Events per
year) with sub 10 minute response time on
reports
AFTER
• Sparc SuperCluster(Exadata)
(1/2 Rack)
• 70,000 EPS (20x improvement),
Full Rack would do 150,000 EPS
• Query Response 30 Seconds (70x
improvement)
• Saved ½ space by removing
indexes
• Compressed Data by 12-14x
(1PB would be reduced by almost a factor of 10)

6. Copyright © 2012, Oracle and/or its affiliates. 6 All rights reserved.
Engineered System Query Results
Max Query Times (Minutes)
Magnitudes faster

7. Engineered System:
Implementation Results
• We ingested 3.5X more than success criteria established or 20X more data over existing
system (70,000 EPS achieved)
• All query requirements were satisfied with only 3 storage cells and all queries returned
in 30-90 seconds
• Put another way, we ingested 20X more data and queried it 27X faster than
baseline architecture with only a 9% load on the whole ½ Rack SuperCluster!
• All hardware, software, and tuning for completed in 5 days
• Customer data gains: Went from 30 days to 5 years worth of data to query
• Many new DB enhancements and tuning capabilities will be implemented based on PC
results and lessons learned at deployment time
• Since the implementation was conducted, customer will be gaining 3-5X faster results
than this test, due to the updated software that now leverages bigger/faster flash cards
on the storage cells
• Upper Bound for EPS is unknown but sustaining 100K-150K EPS with queries in sub
second response should be no issues

8. Summary
• Customer saves over $20M dollars while huge efficiencies
• Repeatable Success on Engineered Systems
• Customer is now experimenting with new query reports to find cyber trends
they could not even attempt before
• Scales to all levels: small, medium, large, extra large in any direction compute
or storage
• Now able to store PB’s of data in a small footprint with EHCC compression
• Analytical queries come back in in seconds allowing analyst to be more
productive
• Simplified Architecture to administer
• Deployed in days
• Single Vendor to call for any issues

9. Questions ?

10. Questions ?