Issues with Ingesting/Staging/Analyzing Data in ConMon Implementation
•
1 like•1,088 views
Mitre Developer Days 2013 presentation on issues we've encountered developing an enterprise wide continuous monitoring solution
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Issues with Ingesting/Staging/Analyzing Data in ConMon Implementation
Similar to Issues with Ingesting/Staging/Analyzing Data in ConMon Implementation (20)
Recently uploaded
Recently uploaded (20)
Issues with Ingesting/Staging/Analyzing Data in ConMon Implementation
- 1. Tieu Luu, Ben Stack Developer Days 2013 @ Mitre, McLean, VA July 24, 2013
- 2. Background Defining Continuous Monitoring Supporting Data and Architecture Ingest Stage Analyze Future Architecture
- 3. SuprTEK has been at the forefront of Continuous Monitoring, working with and integrating technologies and standards from organizations such as the Defense Information Systems Agency (DISA), National Institute of Standards (NIST), National Security Agency (NSA), United States Cyber Command (USCYBERCOM), and Department of State (DoS) Since 2010 SuprTEK has been working with DISA PEO-MA to develop and field the Department of Defense’s Continuous Monitoring and Risk Scoring (CMRS) system that enables USCYBERCOM and other DoD Enterprise level users to monitor and analyze the security posture of millions of devices deployed across the DoD’s networks. Transforming and improving the DoD’s cyber security processes … • Risk Management • Vulnerability Management • Certification & Accreditation • Compliance and Reporting • Configuration Management • Inventory Management Improving security posture and reducing costs through continuous monitoring automation. 3 CMRS utilizes SCAP standards such as XCCDF, CPE, and CVE to continuously and automatically determine whether an asset is susceptible to vulnerabilities, its compliance level against required patches, and compliance against IAVAs, STIGs, and other enterprise security policies.
- 4. NIST SP 800-137: Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST IR 7756: Continuous security monitoring is a risk management approach to Cybersecurity that maintains an accurate picture of an organization’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to measure security, ensure effectiveness of security controls, and enable prioritization of remedies.
- 6. Asset Configuration Compliance Check Vulnerability Software Inventory Organization Location System 106 103 103 102 103 103 103103
- 7. Source: NIST IR 7756 CAESARS Framework Extension 1. Ingest 2. Stage 3. Analyze
- 8. Web-based User Interface Warehouse Analysis Services OLAP Cubes File Processor File Processor File Processor File Processor ARCAT ASCAT Dimensional DB Batch Jobs Reporting ServicesBusiness Logic File Processor Pool File Processor … Risk Dashboards IAVM Summary Benchmark Summary Inventory Summary Reports ADS-Lite Web Service HBSS CMRSpreIOC 1. Ingest 2. Stage 3. Analyze
- 9. HBSS APS HBSS APS HBSS APS ADS- Lite WS ARF ASR SAN Filesystem File Processor File ProcessorFile Processor Warehouse continuously 20 hrs/day
- 10. A lot of publishers across DoD network ◦ Volume/configuration/versions ARF & ASR XML Processing CPU intensive Complete “asset profile” distributed across multiple messages Reconciliation with existing records in the warehouse Asset identification
- 11. ADS-Lite Web Service and File Processor distributed across multiple nodes Two-stage asynchronous architecture Sequence-independent message processing Custom shredding logic to reconcile new and existing records Shred data into warehouse continuously (future)
- 12. Warehouse Dimensional DB OLAP Cubesnightly nightly
- 13. Rich data model to support new & evolving requirements Data volume Efficiency & performance ◦ Finishing nightly jobs in allotted time window Consolidate, Correlate, & Fuse Support for multiple interaction models ◦ A lot of writes ◦ Batch processing ◦ Interactive queries Complex jobs to ETL data across 3 tiers
- 14. Three Tier Architecture ◦ Warehouse ◦ Dimensional ◦ OLAP Cubes A lot of denormalizing ◦ Asset properties ◦ Findings “Blue – Green” architecture for Dimensional DB and OLAP cubes (future) Migration to HBase for warehouse (future)
- 15. IAVM Compliance SOE Compliance Scoring Ad Hoc Queries Rollup & Drilldown Canned Reports Dimensional DB OLAP Cubes Batch Jobs Stored Procedures Functions SSDS SSRS SSAS
- 16. Data volume & performance Data quality Shrinking time windows to run nightly jobs Complex business logic ◦ Risk scoring ◦ IAVM compliance ◦ SOE compliance ◦ Benchmark compliance Constantly evolving Ad hoc, interactive queries Data access control
- 17. Preprocess as much as possible OLAP cubes for interactive queries Tight algorithms and T-SQL coding Agile approach ◦ “Expect it be wrong the moment we’re done” ◦ E.g. centralized tagging functionality Enhance risk scoring algorithms (future) ◦ Weighting of assets ◦ Weighting of checks Migration to Hadoop (future)
- 18. HBase Analysis Services CMRS Reporting HBSS ADS-Lite Web Service OLAP Cubes Reporting ServicesBusiness Logic Pig Hive Map/ Reduce HBase API ARF HBase Shredder ARF HBase Shredder ASR HBase Shredder ASR HBase Shredder HBase Shredder Pool ACAS Other Risk Dashboard Widgets IAVM Compliance Widgets Benchmark Summary Widgets Inventory Summary Widgets HBSS Endpoint Widgets … Report Widgets Other Widget Other Widget Other Widget OWF-Based User Interface ARF HBase Shredder ASR HBase Shredder 1. Ingest 2. Stage 3. Analyze
- 19. Tieu Luu Director of Research & Product Development SuprTEK tluu@suprtek.com Ben Stack CMRSpreIOC Development Lead SuprTEK bstack@suprtek.com www.panoptescyber.com