Apple must detect a wide variety of security threats, and rises to the challenge using Apache Spark across a diverse pool of telemetry. This talk covers some of the home-grown solutions we’ve built to address complications of scale
Empower Splunk and other SIEMs with the Databricks Lakehouse for CybersecurityDatabricks
Cloud, Cost, Complexity, and threat Coverage are top of mind for every security leader. The Lakehouse architecture has emerged in recent years to help address these concerns with a single unified architecture for all your threat data, analytics and AI in the cloud. In this talk, we will show how Lakehouse is essential for effective Cybersecurity and popular security use-cases. We will also share how Databricks empowers the security data scientist and analyst of the future and how this technology allows cyber data sets to be used to solve business problems.
Alienvault how to build a security operations center (on a budget) (2017, a...Al Syihab
SOC teams are responsible for monitoring, detecting, containing, and remediating IT threats across critical infrastructure. Building an effective SOC requires the right combination of people, processes, tools, and threat intelligence. This involves establishing key security operations roles and responsibilities, processes for event handling, and integrating tools for monitoring, detection, and response. It is important to consolidate tools and optimize processes and staffing to establish a SOC that can gain visibility into threats and respond effectively despite limited resources.
Lecture on 22 January 2019
CAP Theorem
Byzantines General Problem
Blockchain for Beginners
Elective course from the Faculty of Information Technology, Thai - Nichi Institute of Technology, Bangkok for undergraduate students.
#BlockchainTNI2018
This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
Threat Detection and Response at Scale with Dominique BrezinskiDatabricks
Security monitoring and threat response has diverse processing demands on large volumes of log and telemetry data. Processing requirements span from low-latency stream processing to interactive queries over months of data. To make things more challenging, we must keep the data accessible for a retention window measured in years. Having tackled this problem before in a massive-scale environment using Apache Spark, when it came time to do it again, there were a few things I knew worked and a few wrongs I wanted to right.
We approached Databricks with a set of challenges to collaborate on: provide a stable and optimized platform for Unified Analytics that allows our team to focus on value delivery using streaming, SQL, graph, and ML; leverage decoupled storage and compute while delivering high performance over a broad set of workloads; use S3 notifications instead of list operations; remove Hive Metastore from the write path; and approach indexed response times for our more common search cases, without hard-to-scale index maintenance, over our entire retention window. This is about the fruit of that collaboration.
Proposal to Manage the Upgrade of the IT Infrastructure for PPESAFederico Schiavio
This proposal summarizes the consultant's experience managing IT infrastructure upgrades. The consultant has over 25 years of experience upgrading networks, procuring hardware and software, and improving existing applications like IPRIS. The proposal reviews the terms of reference, outlines the consultant's relevant experience managing large IT projects, and provides a CV and financial proposal.
Empower Splunk and other SIEMs with the Databricks Lakehouse for CybersecurityDatabricks
Cloud, Cost, Complexity, and threat Coverage are top of mind for every security leader. The Lakehouse architecture has emerged in recent years to help address these concerns with a single unified architecture for all your threat data, analytics and AI in the cloud. In this talk, we will show how Lakehouse is essential for effective Cybersecurity and popular security use-cases. We will also share how Databricks empowers the security data scientist and analyst of the future and how this technology allows cyber data sets to be used to solve business problems.
Alienvault how to build a security operations center (on a budget) (2017, a...Al Syihab
SOC teams are responsible for monitoring, detecting, containing, and remediating IT threats across critical infrastructure. Building an effective SOC requires the right combination of people, processes, tools, and threat intelligence. This involves establishing key security operations roles and responsibilities, processes for event handling, and integrating tools for monitoring, detection, and response. It is important to consolidate tools and optimize processes and staffing to establish a SOC that can gain visibility into threats and respond effectively despite limited resources.
Lecture on 22 January 2019
CAP Theorem
Byzantines General Problem
Blockchain for Beginners
Elective course from the Faculty of Information Technology, Thai - Nichi Institute of Technology, Bangkok for undergraduate students.
#BlockchainTNI2018
This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
Threat Detection and Response at Scale with Dominique BrezinskiDatabricks
Security monitoring and threat response has diverse processing demands on large volumes of log and telemetry data. Processing requirements span from low-latency stream processing to interactive queries over months of data. To make things more challenging, we must keep the data accessible for a retention window measured in years. Having tackled this problem before in a massive-scale environment using Apache Spark, when it came time to do it again, there were a few things I knew worked and a few wrongs I wanted to right.
We approached Databricks with a set of challenges to collaborate on: provide a stable and optimized platform for Unified Analytics that allows our team to focus on value delivery using streaming, SQL, graph, and ML; leverage decoupled storage and compute while delivering high performance over a broad set of workloads; use S3 notifications instead of list operations; remove Hive Metastore from the write path; and approach indexed response times for our more common search cases, without hard-to-scale index maintenance, over our entire retention window. This is about the fruit of that collaboration.
Proposal to Manage the Upgrade of the IT Infrastructure for PPESAFederico Schiavio
This proposal summarizes the consultant's experience managing IT infrastructure upgrades. The consultant has over 25 years of experience upgrading networks, procuring hardware and software, and improving existing applications like IPRIS. The proposal reviews the terms of reference, outlines the consultant's relevant experience managing large IT projects, and provides a CV and financial proposal.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
This document provides an overview of threat hunting using Splunk. It begins with an introduction to threat hunting and why it is important. The presentation then discusses key building blocks for driving threat hunting maturity, including search and visualization, data enrichment, ingesting data sources, and applying machine learning. It provides examples of internal data sources that can be used for hunting like IP addresses, network artifacts, DNS, and endpoint data. The presentation demonstrates hunting using the Microsoft Sysmon endpoint agent, walking through an example attack scenario matching the Cyber Kill Chain framework. It shows how to investigate a potential compromise by searching across web, DNS, proxy, firewall, and endpoint data in Splunk to trace suspicious activity back to a specific user.
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
This document discusses the risks of using known vulnerable components in applications. It identifies threat agents as anyone who can send untrusted data, and lists possible attack vectors such as injection and broken access control. Examples are given of past vulnerabilities in Apache CXF and Spring that allowed remote code execution. It emphasizes that open source applications often contain vulnerable components that remain in use long after issues are discovered. Suggested prevention methods include keeping components up to date, monitoring for security issues, and adding security wrappers.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Development of an Automated Faculty Loading, Room Utilization, Subject and Student Scheduling System (AFLRUS4) for Bulacan Polytechnic College
One of the remarkable and much known products of technology advancement is the conversion of manually operated system into automated system. Using the Scheduling System, it’s easy to arrange class schedule, instructor’s load and room utilization for the students and faculty in every department. This study aimed to develop an automated faculty, room, subject and student scheduling system to facilitate an expeditious service of the school. The study utilized experimental methodology to prove the veracity and efficiency of the experts in operation of the system, it was being validated by a panel of experts in computer programming who were a composition of professors and instructors of computer of Bulacan Polytechnic College. At the end, the following findings came-up: The project was rated as “highly acceptable” in terms of its functionality, reliability, usability, portability, speed, training and development. The system program was being test for its functionalities and found out useful for the school scheduler, faculty and student because it satisfies the set objectives. The system user recommends the automatic detection of the prescribed maximum of two hours vacant time. Further, the precision of the system was proven functional since the said system is now being used by the institution since 2014.
The document discusses various techniques for cracking passwords, including dictionary attacks, brute force attacks, and exploiting weaknesses in password hashing algorithms. Default passwords, social engineering through phishing emails, and the use of tools like Cain and Abel, John the Ripper, and THC Hydra are also covered as effective cracking methods. Common password mistakes that can enable cracking are also listed.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
Building an Analytics - Enabled SOC Breakout Session Splunk
This document provides an overview of building an analytics-enabled security operations center (SOC). It discusses the three main components of a SOC - process, people, and technology. For process, it covers threat modeling, playbooks, tier structures, shift rotations, and other operational aspects. For people, it describes the different roles required in a SOC. For technology, it promotes Splunk Enterprise as a security intelligence platform that can power all functions of a SOC. It also provides examples of how Splunk can be used for various SOC use cases and processes.
This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange.
In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization?
The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.
This document describes how Ashley Hartge implemented Splunk at their organization Verizon to improve network security monitoring and reporting. It outlines how they started with a single Splunk instance ingesting incident data to create dynamic ad-hoc reports. They then expanded Splunk to include distributed collection of SNMP data from network devices using forwarders. The document also provides examples of using Python scripts to poll thousands of devices and ingest the data into Splunk.
This document provides an introduction to automated testing. It discusses the motivations for automated testing such as improving quality and catching bugs early. It covers basic testing concepts like unit, integration, and system tests. It explains testing principles such as keeping tests independent and focusing on visible behavior. The document also discusses popular testing frameworks for different programming languages and provides examples of tests from a codebase.
This document discusses database unit testing fundamentals. It defines unit testing as code that exercises specific portions of code to return a pass/fail result. The goals of unit testing are to catch mistakes early, ensure code works as expected, and maintain tight code. The document reviews how to unit test databases, using tSQLt and SQL Test frameworks. It provides examples of unit testing stored procedures, functions, views and constraints. Overall, the document promotes unit testing databases to write testable code and help prevent errors.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
This document provides an overview of threat hunting using Splunk. It begins with an introduction to threat hunting and why it is important. The presentation then discusses key building blocks for driving threat hunting maturity, including search and visualization, data enrichment, ingesting data sources, and applying machine learning. It provides examples of internal data sources that can be used for hunting like IP addresses, network artifacts, DNS, and endpoint data. The presentation demonstrates hunting using the Microsoft Sysmon endpoint agent, walking through an example attack scenario matching the Cyber Kill Chain framework. It shows how to investigate a potential compromise by searching across web, DNS, proxy, firewall, and endpoint data in Splunk to trace suspicious activity back to a specific user.
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
This document discusses the risks of using known vulnerable components in applications. It identifies threat agents as anyone who can send untrusted data, and lists possible attack vectors such as injection and broken access control. Examples are given of past vulnerabilities in Apache CXF and Spring that allowed remote code execution. It emphasizes that open source applications often contain vulnerable components that remain in use long after issues are discovered. Suggested prevention methods include keeping components up to date, monitoring for security issues, and adding security wrappers.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Development of an Automated Faculty Loading, Room Utilization, Subject and Student Scheduling System (AFLRUS4) for Bulacan Polytechnic College
One of the remarkable and much known products of technology advancement is the conversion of manually operated system into automated system. Using the Scheduling System, it’s easy to arrange class schedule, instructor’s load and room utilization for the students and faculty in every department. This study aimed to develop an automated faculty, room, subject and student scheduling system to facilitate an expeditious service of the school. The study utilized experimental methodology to prove the veracity and efficiency of the experts in operation of the system, it was being validated by a panel of experts in computer programming who were a composition of professors and instructors of computer of Bulacan Polytechnic College. At the end, the following findings came-up: The project was rated as “highly acceptable” in terms of its functionality, reliability, usability, portability, speed, training and development. The system program was being test for its functionalities and found out useful for the school scheduler, faculty and student because it satisfies the set objectives. The system user recommends the automatic detection of the prescribed maximum of two hours vacant time. Further, the precision of the system was proven functional since the said system is now being used by the institution since 2014.
The document discusses various techniques for cracking passwords, including dictionary attacks, brute force attacks, and exploiting weaknesses in password hashing algorithms. Default passwords, social engineering through phishing emails, and the use of tools like Cain and Abel, John the Ripper, and THC Hydra are also covered as effective cracking methods. Common password mistakes that can enable cracking are also listed.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
Building an Analytics - Enabled SOC Breakout Session Splunk
This document provides an overview of building an analytics-enabled security operations center (SOC). It discusses the three main components of a SOC - process, people, and technology. For process, it covers threat modeling, playbooks, tier structures, shift rotations, and other operational aspects. For people, it describes the different roles required in a SOC. For technology, it promotes Splunk Enterprise as a security intelligence platform that can power all functions of a SOC. It also provides examples of how Splunk can be used for various SOC use cases and processes.
This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange.
In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization?
The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.
This document describes how Ashley Hartge implemented Splunk at their organization Verizon to improve network security monitoring and reporting. It outlines how they started with a single Splunk instance ingesting incident data to create dynamic ad-hoc reports. They then expanded Splunk to include distributed collection of SNMP data from network devices using forwarders. The document also provides examples of using Python scripts to poll thousands of devices and ingest the data into Splunk.
This document provides an introduction to automated testing. It discusses the motivations for automated testing such as improving quality and catching bugs early. It covers basic testing concepts like unit, integration, and system tests. It explains testing principles such as keeping tests independent and focusing on visible behavior. The document also discusses popular testing frameworks for different programming languages and provides examples of tests from a codebase.
This document discusses database unit testing fundamentals. It defines unit testing as code that exercises specific portions of code to return a pass/fail result. The goals of unit testing are to catch mistakes early, ensure code works as expected, and maintain tight code. The document reviews how to unit test databases, using tSQLt and SQL Test frameworks. It provides examples of unit testing stored procedures, functions, views and constraints. Overall, the document promotes unit testing databases to write testable code and help prevent errors.
1 1/2 years ago we have rolled out a new integrated full-text search engine for our Intranet based on Apache Solr. The search engine integrates various data sources such as file systems, wikis, internal websites and web applications, shared calendars, our corporate database, CRM system, email archive, task management and defect tracking etc. This talk is an experience report about some of the good things, the bad things and the surprising things we have encountered over two years of developing with, operating and using a Intranet search engine based on Apache Solr.
After setting the scene, we will discuss some interesting requirements that we have for our search engine and how we solved them with Apache Solr (or at least tried to solve). Using these concrete examples, we will discuss some interesting features and limitations of Apache Solr.
In the second part of the talk, we will tell a couple of "war stories" and walk through some interesting, annoying and surprising problems that we faced, how we analyzed the issues, identified the cause of the problems and eventually solved them.
The talk is aimed at software developers and architects with some basic knowledge about Apache Solr, the Apache Lucene project familiy or similar full-text search engines. It is not an introduction into Apache Solr and we will dive right into the interesting and juicy bits.
Property-based testing (PBT) focuses on testing specifications rather than implementations. It uses random testing against properties expressed as code to generate many test cases, reducing testing effort. PBT represents a system as states, commands to transition between states, and properties relating commands to expected states. This allows effective testing of stateful systems. PBT has been used successfully for concurrency, distributed systems, and finding bugs unit tests missed. Popular PBT libraries include Scalacheck, QuickCheck, and Hypothesis.
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic
QuickStart your Sumo Logic service with this exclusive webinar. At these monthly live events you will learn how to capitalize on critical capabilities that can amplify your log analytics and monitoring experience while providing you with meaningful business and IT insights
Lessons Learned Replatforming A Large Machine Learning Application To Apache ...Databricks
Morningstar’s Risk Model project is created by stitching together statistical and machine learning models to produce risk and performance metrics for millions of financial securities. Previously, we were running a single version of this application, but needed to expand it to allow for customizations based on client demand. With the goal of running hundreds of custom Risk Model runs at once at an output size of around 1TB of data each, we had a challenging technical problem on our hands! In this presentation, we’ll talk about the challenges we faced replatforming this application to Spark, how we solved them, and the benefits we saw.
Some things we’ll touch on include how we created customized models, the architecture of our machine learning application, how we maintain an audit trail of data transformations (for rigorous third party audits), and how we validate the input data our model takes in and output data our model produces. We want the attendees to walk away with some key ideas of what worked for us when productizing a large scale machine learning platform.
This document provides tips and tricks for debugging Arbortext applications. It discusses challenges like debugging components with multiple interfaces and custom code. It recommends using messages like response() and eval to monitor state, and debugging tools like the Java console. It also suggests adding debug messages programmatically, using binary search, and getting a second set of eyes to help find bugs. Maintaining backups and good documentation are emphasized.
Cómo se diseña una base de datos que pueda ingerir más de cuatro millones de ...javier ramirez
En esta sesión voy a contar las decisiones técnicas que tomamos al desarrollar QuestDB, una base de datos Open Source para series temporales compatible con Postgres, y cómo conseguimos escribir más de cuatro millones de filas por segundo sin bloquear o enlentecer las consultas.
Hablaré de cosas como (zero) Garbage Collection, vectorización de instrucciones usando SIMD, reescribir en lugar de reutilizar para arañar microsegundos, aprovecharse de los avances en procesadores, discos duros y sistemas operativos, como por ejemplo el soporte de io_uring, o del balance entre experiencia de usuario y rendimiento cuando se plantean nuevas funcionalidades.
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available.
In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors.
The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features.
--- Ron Shina
Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot.
--- Shlomi Oberman
Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.
Debugging Complex Systems - Erlang Factory SF 2015lpgauth
Debugging complex systems can be difficult. Luckily, the Erlang ecosystem is full of tools to help you out. With the right mindset and the right tools, debugging complex Erlang systems can be easy. In this talk, I'll share the debugging methodology I've developed over the years.
This document provides an introduction to the CSE 326: Data Structures course. It discusses the following key points in 3 sentences or less:
The course will cover common data structures and algorithms, how to choose the appropriate data structure for different needs, and how to justify design decisions through formal reasoning. It aims to help students become better developers by understanding fundamental data structures and when to apply them. The document provides examples of stacks and queues to illustrate abstract data types, data structures, and their implementations in different programming languages.
This document provides an introduction to the CSE 326: Data Structures course. It discusses the following key points in 3 sentences or less:
The course will cover common data structures and algorithms, how to choose the appropriate data structure for different needs, and how to justify design decisions through formal reasoning. It aims to help students become better developers by understanding fundamental data structures and when to apply them. The document provides examples of stacks and queues to illustrate abstract data types, data structures, and their implementations in different programming languages.
This document provides an overview of a Data Structures course. The course will cover basic data structures and algorithms used in software development. Students will learn about common data structures like lists, stacks, and queues; analyze the runtime of algorithms; and practice implementing data structures. The goal is for students to understand which data structures are appropriate for different problems and be able to justify design decisions. Key concepts covered include abstract data types, asymptotic analysis to evaluate algorithms, and the tradeoffs involved in choosing different data structure implementations.
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...rschuppe
Application Performance doesn't come easy. How to find the root cause of performance issues in modern and complex applications? All you have is a complaining user to start with?
In this presentation (mainly in German, but understandable for english speakers) I'd reprised the fundamentals of trouble shooting and have some new examples on how to tackle issues.
Follow up presentation to "Performance Trouble Shooting 101 - Schweine, Schlangen und Papierschnitte"
Illuminate - Performance Analystics driven by Machine LearningjClarity
illuminate is a machine learning-based performance analytics tool that automatically diagnoses performance issues in servers and applications without human intervention. It has a small memory, CPU, and network footprint, uses adaptive machine learning to interpret data and scale with applications, and provides a holistic view of both application and system performance across servers. illuminate identifies the largest bottlenecks through machine learning, aggregates similar issues across servers, and auto-triggers on SLA breaches. It supports Linux systems and has a secure web-based dashboard.
Tracing the Breadcrumbs: Apache Spark Workload DiagnosticsDatabricks
Have you ever hit mysterious random process hangs, performance regressions, or OOM errors that leave barely any useful traces, yet hard or expensive to reproduce? No matter how tricky the bugs are, they always leave some breadcrumbs along the way.
This document discusses various patterns for real-time streaming analytics. It begins by providing background on data analytics and how real-time streaming has become important for use cases where insights need to be generated very quickly. It then covers basic patterns like preprocessing, alerts and thresholds, counting, and joining event streams. Further patterns discussed include detecting trends, interacting with databases, running batch and real-time queries, and using machine learning models. The document also reviews tools for implementing real-time analytics like stream processing frameworks and complex event processing. Finally, it provides examples of implementing several patterns in Storm and WSO2 CEP.
This Tutorial will discuss and demonstrate how to implement different realtime streaming analytics patterns. We will start with counting usecases and progress into complex patterns like time windows, tracking objects, and detecting trends. We will start with Apache Storm and progress into Complex Event Processing based technologies.
In this talk, Azlam Abdulsalam and Ramzi Akremi will share their experiences in an ongoing Salesforce program how they build deploy and maintain 20+ unlocked packages through a highly optimised pipeline.
(ATS3-PLAT07) Pipeline Pilot Protocol Tips, Tricks, and ChallengesBIOVIA
This document provides tips and tricks for using Pipeline Pilot, including how to use protocol search, favorites bar, tool tips, component profiling, design mode, protocol recovery, recursion vs looping, merge/join operations, debugging tips, and RTC subprotocols. It emphasizes best practices like avoiding loops and using recursion instead. Design mode and checkpoints are highlighted as useful debugging aids. Resources like training, support, and the user community are recommended for additional help.
Similar to Scaling Security Threat Detection with Apache Spark and Databricks (20)
The document discusses migrating a data warehouse to the Databricks Lakehouse Platform. It outlines why legacy data warehouses are struggling, how the Databricks Platform addresses these issues, and key considerations for modern analytics and data warehousing. The document then provides an overview of the migration methodology, approach, strategies, and key takeaways for moving to a lakehouse on Databricks.
Data Lakehouse Symposium | Day 1 | Part 1Databricks
The world of data architecture began with applications. Next came data warehouses. Then text was organized into a data warehouse.
Then one day the world discovered a whole new kind of data that was being generated by organizations. The world found that machines generated data that could be transformed into valuable insights. This was the origin of what is today called the data lakehouse. The evolution of data architecture continues today.
Come listen to industry experts describe this transformation of ordinary data into a data architecture that is invaluable to business. Simply put, organizations that take data architecture seriously are going to be at the forefront of business tomorrow.
This is an educational event.
Several of the authors of the book Building the Data Lakehouse will be presenting at this symposium.
Data Lakehouse Symposium | Day 1 | Part 2Databricks
The world of data architecture began with applications. Next came data warehouses. Then text was organized into a data warehouse.
Then one day the world discovered a whole new kind of data that was being generated by organizations. The world found that machines generated data that could be transformed into valuable insights. This was the origin of what is today called the data lakehouse. The evolution of data architecture continues today.
Come listen to industry experts describe this transformation of ordinary data into a data architecture that is invaluable to business. Simply put, organizations that take data architecture seriously are going to be at the forefront of business tomorrow.
This is an educational event.
Several of the authors of the book Building the Data Lakehouse will be presenting at this symposium.
The world of data architecture began with applications. Next came data warehouses. Then text was organized into a data warehouse.
Then one day the world discovered a whole new kind of data that was being generated by organizations. The world found that machines generated data that could be transformed into valuable insights. This was the origin of what is today called the data lakehouse. The evolution of data architecture continues today.
Come listen to industry experts describe this transformation of ordinary data into a data architecture that is invaluable to business. Simply put, organizations that take data architecture seriously are going to be at the forefront of business tomorrow.
This is an educational event.
Several of the authors of the book Building the Data Lakehouse will be presenting at this symposium.
The document discusses the challenges of modern data, analytics, and AI workloads. Most enterprises struggle with siloed data systems that make integration and productivity difficult. The future of data lies with a data lakehouse platform that can unify data engineering, analytics, data warehousing, and machine learning workloads on a single open platform. The Databricks Lakehouse platform aims to address these challenges with its open data lake approach and capabilities for data engineering, SQL analytics, governance, and machine learning.
5 Critical Steps to Clean Your Data Swamp When Migrating Off of HadoopDatabricks
In this session, learn how to quickly supplement your on-premises Hadoop environment with a simple, open, and collaborative cloud architecture that enables you to generate greater value with scaled application of analytics and AI on all your data. You will also learn five critical steps for a successful migration to the Databricks Lakehouse Platform along with the resources available to help you begin to re-skill your data teams.
Democratizing Data Quality Through a Centralized PlatformDatabricks
Bad data leads to bad decisions and broken customer experiences. Organizations depend on complete and accurate data to power their business, maintain efficiency, and uphold customer trust. With thousands of datasets and pipelines running, how do we ensure that all data meets quality standards, and that expectations are clear between producers and consumers? Investing in shared, flexible components and practices for monitoring data health is crucial for a complex data organization to rapidly and effectively scale.
At Zillow, we built a centralized platform to meet our data quality needs across stakeholders. The platform is accessible to engineers, scientists, and analysts, and seamlessly integrates with existing data pipelines and data discovery tools. In this presentation, we will provide an overview of our platform’s capabilities, including:
Giving producers and consumers the ability to define and view data quality expectations using a self-service onboarding portal
Performing data quality validations using libraries built to work with spark
Dynamically generating pipelines that can be abstracted away from users
Flagging data that doesn’t meet quality standards at the earliest stage and giving producers the opportunity to resolve issues before use by downstream consumers
Exposing data quality metrics alongside each dataset to provide producers and consumers with a comprehensive picture of health over time
Learn to Use Databricks for Data ScienceDatabricks
Data scientists face numerous challenges throughout the data science workflow that hinder productivity. As organizations continue to become more data-driven, a collaborative environment is more critical than ever — one that provides easier access and visibility into the data, reports and dashboards built against the data, reproducibility, and insights uncovered within the data.. Join us to hear how Databricks’ open and collaborative platform simplifies data science by enabling you to run all types of analytics workloads, from data preparation to exploratory analysis and predictive analytics, at scale — all on one unified platform.
Why APM Is Not the Same As ML MonitoringDatabricks
Application performance monitoring (APM) has become the cornerstone of software engineering allowing engineering teams to quickly identify and remedy production issues. However, as the world moves to intelligent software applications that are built using machine learning, traditional APM quickly becomes insufficient to identify and remedy production issues encountered in these modern software applications.
As a lead software engineer at NewRelic, my team built high-performance monitoring systems including Insights, Mobile, and SixthSense. As I transitioned to building ML Monitoring software, I found the architectural principles and design choices underlying APM to not be a good fit for this brand new world. In fact, blindly following APM designs led us down paths that would have been better left unexplored.
In this talk, I draw upon my (and my team’s) experience building an ML Monitoring system from the ground up and deploying it on customer workloads running large-scale ML training with Spark as well as real-time inference systems. I will highlight how the key principles and architectural choices of APM don’t apply to ML monitoring. You’ll learn why, understand what ML Monitoring can successfully borrow from APM, and hear what is required to build a scalable, robust ML Monitoring architecture.
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixDatabricks
Autonomy and ownership are core to working at Stitch Fix, particularly on the Algorithms team. We enable data scientists to deploy and operate their models independently, with minimal need for handoffs or gatekeeping. By writing a simple function and calling out to an intuitive API, data scientists can harness a suite of platform-provided tooling meant to make ML operations easy. In this talk, we will dive into the abstractions the Data Platform team has built to enable this. We will go over the interface data scientists use to specify a model and what that hooks into, including online deployment, batch execution on Spark, and metrics tracking and visualization.
Stage Level Scheduling Improving Big Data and AI IntegrationDatabricks
In this talk, I will dive into the stage level scheduling feature added to Apache Spark 3.1. Stage level scheduling extends upon Project Hydrogen by improving big data ETL and AI integration and also enables multiple other use cases. It is beneficial any time the user wants to change container resources between stages in a single Apache Spark application, whether those resources are CPU, Memory or GPUs. One of the most popular use cases is enabling end-to-end scalable Deep Learning and AI to efficiently use GPU resources. In this type of use case, users read from a distributed file system, do data manipulation and filtering to get the data into a format that the Deep Learning algorithm needs for training or inference and then sends the data into a Deep Learning algorithm. Using stage level scheduling combined with accelerator aware scheduling enables users to seamlessly go from ETL to Deep Learning running on the GPU by adjusting the container requirements for different stages in Spark within the same application. This makes writing these applications easier and can help with hardware utilization and costs.
There are other ETL use cases where users want to change CPU and memory resources between stages, for instance there is data skew or perhaps the data size is much larger in certain stages of the application. In this talk, I will go over the feature details, cluster requirements, the API and use cases. I will demo how the stage level scheduling API can be used by Horovod to seamlessly go from data preparation to training using the Tensorflow Keras API using GPUs.
The talk will also touch on other new Apache Spark 3.1 functionality, such as pluggable caching, which can be used to enable faster dataframe access when operating from GPUs.
Simplify Data Conversion from Spark to TensorFlow and PyTorchDatabricks
In this talk, I would like to introduce an open-source tool built by our team that simplifies the data conversion from Apache Spark to deep learning frameworks.
Imagine you have a large dataset, say 20 GBs, and you want to use it to train a TensorFlow model. Before feeding the data to the model, you need to clean and preprocess your data using Spark. Now you have your dataset in a Spark DataFrame. When it comes to the training part, you may have the problem: How can I convert my Spark DataFrame to some format recognized by my TensorFlow model?
The existing data conversion process can be tedious. For example, to convert an Apache Spark DataFrame to a TensorFlow Dataset file format, you need to either save the Apache Spark DataFrame on a distributed filesystem in parquet format and load the converted data with third-party tools such as Petastorm, or save it directly in TFRecord files with spark-tensorflow-connector and load it back using TFRecordDataset. Both approaches take more than 20 lines of code to manage the intermediate data files, rely on different parsing syntax, and require extra attention for handling vector columns in the Spark DataFrames. In short, all these engineering frictions greatly reduced the data scientists’ productivity.
The Databricks Machine Learning team contributed a new Spark Dataset Converter API to Petastorm to simplify these tedious data conversion process steps. With the new API, it takes a few lines of code to convert a Spark DataFrame to a TensorFlow Dataset or a PyTorch DataLoader with default parameters.
In the talk, I will use an example to show how to use the Spark Dataset Converter to train a Tensorflow model and how simple it is to go from single-node training to distributed training on Databricks.
Scaling your Data Pipelines with Apache Spark on KubernetesDatabricks
There is no doubt Kubernetes has emerged as the next generation of cloud native infrastructure to support a wide variety of distributed workloads. Apache Spark has evolved to run both Machine Learning and large scale analytics workloads. There is growing interest in running Apache Spark natively on Kubernetes. By combining the flexibility of Kubernetes and scalable data processing with Apache Spark, you can run any data and machine pipelines on this infrastructure while effectively utilizing resources at disposal.
In this talk, Rajesh Thallam and Sougata Biswas will share how to effectively run your Apache Spark applications on Google Kubernetes Engine (GKE) and Google Cloud Dataproc, orchestrate the data and machine learning pipelines with managed Apache Airflow on GKE (Google Cloud Composer). Following topics will be covered: – Understanding key traits of Apache Spark on Kubernetes- Things to know when running Apache Spark on Kubernetes such as autoscaling- Demonstrate running analytics pipelines on Apache Spark orchestrated with Apache Airflow on Kubernetes cluster.
Scaling and Unifying SciKit Learn and Apache Spark PipelinesDatabricks
Pipelines have become ubiquitous, as the need for stringing multiple functions to compose applications has gained adoption and popularity. Common pipeline abstractions such as “fit” and “transform” are even shared across divergent platforms such as Python Scikit-Learn and Apache Spark.
Scaling pipelines at the level of simple functions is desirable for many AI applications, however is not directly supported by Ray’s parallelism primitives. In this talk, Raghu will describe a pipeline abstraction that takes advantage of Ray’s compute model to efficiently scale arbitrarily complex pipeline workflows. He will demonstrate how this abstraction cleanly unifies pipeline workflows across multiple platforms such as Scikit-Learn and Spark, and achieves nearly optimal scale-out parallelism on pipelined computations.
Attendees will learn how pipelined workflows can be mapped to Ray’s compute model and how they can both unify and accelerate their pipelines with Ray.
Sawtooth Windows for Feature AggregationsDatabricks
In this talk about zipline, we will introduce a new type of windowing construct called a sawtooth window. We will describe various properties about sawtooth windows that we utilize to achieve online-offline consistency, while still maintaining high-throughput, low-read latency and tunable write latency for serving machine learning features.We will also talk about a simple deployment strategy for correcting feature drift – due operations that are not “abelian groups”, that operate over change data.
We want to present multiple anti patterns utilizing Redis in unconventional ways to get the maximum out of Apache Spark.All examples presented are tried and tested in production at Scale at Adobe. The most common integration is spark-redis which interfaces with Redis as a Dataframe backing Store or as an upstream for Structured Streaming. We deviate from the common use cases to explore where Redis can plug gaps while scaling out high throughput applications in Spark.
Niche 1 : Long Running Spark Batch Job – Dispatch New Jobs by polling a Redis Queue
· Why?
o Custom queries on top a table; We load the data once and query N times
· Why not Structured Streaming
· Working Solution using Redis
Niche 2 : Distributed Counters
· Problems with Spark Accumulators
· Utilize Redis Hashes as distributed counters
· Precautions for retries and speculative execution
· Pipelining to improve performance
Re-imagine Data Monitoring with whylogs and SparkDatabricks
In the era of microservices, decentralized ML architectures and complex data pipelines, data quality has become a bigger challenge than ever. When data is involved in complex business processes and decisions, bad data can, and will, affect the bottom line. As a result, ensuring data quality across the entire ML pipeline is both costly, and cumbersome while data monitoring is often fragmented and performed ad hoc. To address these challenges, we built whylogs, an open source standard for data logging. It is a lightweight data profiling library that enables end-to-end data profiling across the entire software stack. The library implements a language and platform agnostic approach to data quality and data monitoring. It can work with different modes of data operations, including streaming, batch and IoT data.
In this talk, we will provide an overview of the whylogs architecture, including its lightweight statistical data collection approach and various integrations. We will demonstrate how the whylogs integration with Apache Spark achieves large scale data profiling, and we will show how users can apply this integration into existing data and ML pipelines.
Raven: End-to-end Optimization of ML Prediction QueriesDatabricks
Machine learning (ML) models are typically part of prediction queries that consist of a data processing part (e.g., for joining, filtering, cleaning, featurization) and an ML part invoking one or more trained models. In this presentation, we identify significant and unexplored opportunities for optimization. To the best of our knowledge, this is the first effort to look at prediction queries holistically, optimizing across both the ML and SQL components.
We will present Raven, an end-to-end optimizer for prediction queries. Raven relies on a unified intermediate representation that captures both data processing and ML operators in a single graph structure.
This allows us to introduce optimization rules that
(i) reduce unnecessary computations by passing information between the data processing and ML operators
(ii) leverage operator transformations (e.g., turning a decision tree to a SQL expression or an equivalent neural network) to map operators to the right execution engine, and
(iii) integrate compiler techniques to take advantage of the most efficient hardware backend (e.g., CPU, GPU) for each operator.
We have implemented Raven as an extension to Spark’s Catalyst optimizer to enable the optimization of SparkSQL prediction queries. Our implementation also allows the optimization of prediction queries in SQL Server. As we will show, Raven is capable of improving prediction query performance on Apache Spark and SQL Server by up to 13.1x and 330x, respectively. For complex models, where GPU acceleration is beneficial, Raven provides up to 8x speedup compared to state-of-the-art systems. As part of the presentation, we will also give a demo showcasing Raven in action.
Processing Large Datasets for ADAS Applications using Apache SparkDatabricks
Semantic segmentation is the classification of every pixel in an image/video. The segmentation partitions a digital image into multiple objects to simplify/change the representation of the image into something that is more meaningful and easier to analyze [1][2]. The technique has a wide variety of applications ranging from perception in autonomous driving scenarios to cancer cell segmentation for medical diagnosis.
Exponential growth in the datasets that require such segmentation is driven by improvements in the accuracy and quality of the sensors generating the data extending to 3D point cloud data. This growth is further compounded by exponential advances in cloud technologies enabling the storage and compute available for such applications. The need for semantically segmented datasets is a key requirement to improve the accuracy of inference engines that are built upon them.
Streamlining the accuracy and efficiency of these systems directly affects the value of the business outcome for organizations that are developing such functionalities as a part of their AI strategy.
This presentation details workflows for labeling, preprocessing, modeling, and evaluating performance/accuracy. Scientists and engineers leverage domain-specific features/tools that support the entire workflow from labeling the ground truth, handling data from a wide variety of sources/formats, developing models and finally deploying these models. Users can scale their deployments optimally on GPU-based cloud infrastructure to build accelerated training and inference pipelines while working with big datasets. These environments are optimized for engineers to develop such functionality with ease and then scale against large datasets with Spark-based clusters on the cloud.
Massive Data Processing in Adobe Using Delta LakeDatabricks
At Adobe Experience Platform, we ingest TBs of data every day and manage PBs of data for our customers as part of the Unified Profile Offering. At the heart of this is a bunch of complex ingestion of a mix of normalized and denormalized data with various linkage scenarios power by a central Identity Linking Graph. This helps power various marketing scenarios that are activated in multiple platforms and channels like email, advertisements etc. We will go over how we built a cost effective and scalable data pipeline using Apache Spark and Delta Lake and share our experiences.
What are we storing?
Multi Source – Multi Channel Problem
Data Representation and Nested Schema Evolution
Performance Trade Offs with Various formats
Go over anti-patterns used
(String FTW)
Data Manipulation using UDFs
Writer Worries and How to Wipe them Away
Staging Tables FTW
Datalake Replication Lag Tracking
Performance Time!
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
Learn SQL from basic queries to Advance queriesmanishkhaire30
Dive into the world of data analysis with our comprehensive guide on mastering SQL! This presentation offers a practical approach to learning SQL, focusing on real-world applications and hands-on practice. Whether you're a beginner or looking to sharpen your skills, this guide provides the tools you need to extract, analyze, and interpret data effectively.
Key Highlights:
Foundations of SQL: Understand the basics of SQL, including data retrieval, filtering, and aggregation.
Advanced Queries: Learn to craft complex queries to uncover deep insights from your data.
Data Trends and Patterns: Discover how to identify and interpret trends and patterns in your datasets.
Practical Examples: Follow step-by-step examples to apply SQL techniques in real-world scenarios.
Actionable Insights: Gain the skills to derive actionable insights that drive informed decision-making.
Join us on this journey to enhance your data analysis capabilities and unlock the full potential of SQL. Perfect for data enthusiasts, analysts, and anyone eager to harness the power of data!
#DataAnalysis #SQL #LearningSQL #DataInsights #DataScience #Analytics
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Kaxil Naik
Navigating today's data landscape isn't just about managing workflows; it's about strategically propelling your business forward. Apache Airflow has stood out as the benchmark in this arena, driving data orchestration forward since its early days. As we dive into the complexities of our current data-rich environment, where the sheer volume of information and its timely, accurate processing are crucial for AI and ML applications, the role of Airflow has never been more critical.
In my journey as the Senior Engineering Director and a pivotal member of Apache Airflow's Project Management Committee (PMC), I've witnessed Airflow transform data handling, making agility and insight the norm in an ever-evolving digital space. At Astronomer, our collaboration with leading AI & ML teams worldwide has not only tested but also proven Airflow's mettle in delivering data reliably and efficiently—data that now powers not just insights but core business functions.
This session is a deep dive into the essence of Airflow's success. We'll trace its evolution from a budding project to the backbone of data orchestration it is today, constantly adapting to meet the next wave of data challenges, including those brought on by Generative AI. It's this forward-thinking adaptability that keeps Airflow at the forefront of innovation, ready for whatever comes next.
The ever-growing demands of AI and ML applications have ushered in an era where sophisticated data management isn't a luxury—it's a necessity. Airflow's innate flexibility and scalability are what makes it indispensable in managing the intricate workflows of today, especially those involving Large Language Models (LLMs).
This talk isn't just a rundown of Airflow's features; it's about harnessing these capabilities to turn your data workflows into a strategic asset. Together, we'll explore how Airflow remains at the cutting edge of data orchestration, ensuring your organization is not just keeping pace but setting the pace in a data-driven future.
Session in https://budapestdata.hu/2024/04/kaxil-naik-astronomer-io/ | https://dataml24.sessionize.com/session/667627
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeWalaa Eldin Moustafa
Dynamic policy enforcement is becoming an increasingly important topic in today’s world where data privacy and compliance is a top priority for companies, individuals, and regulators alike. In these slides, we discuss how LinkedIn implements a powerful dynamic policy enforcement engine, called ViewShift, and integrates it within its data lake. We show the query engine architecture and how catalog implementations can automatically route table resolutions to compliance-enforcing SQL views. Such views have a set of very interesting properties: (1) They are auto-generated from declarative data annotations. (2) They respect user-level consent and preferences (3) They are context-aware, encoding a different set of transformations for different use cases (4) They are portable; while the SQL logic is only implemented in one SQL dialect, it is accessible in all engines.
#SQL #Views #Privacy #Compliance #DataLake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Scaling Security Threat Detection with Apache Spark and Databricks
1.
2. Scaling Security Threat Detection
with Spark and Databricks
Josh Gillner
Apple Detection Engineering
3. ▪ Protecting Apple’s Systems
▪ Finding & responding to security
threats using log data
▪ Threat research and hunting
^^^ Looking for this guy
Who are we? - Apple Detection Engineering
9. Problem #1 — Development Overhead
▪ Average time to write, test, and deploy a
basic detection === 1 week
▪ New ideas/week > deployed jobs/week
(unsustainable)
▪ Writing scalatests, preserving test
samples…testing is too cumbersome
▪ > 60% of new code is boilerplate (!!)
10. Problem #2 — Mo’ Detections, Mo’ Problems
Want to add a cool new
feature to all detections?
Refactor many different
notebooks
Config all over the place in
disparate notebooks
Want to configure multiple
detections at once?
Ongoing tuning and
maintenance?
One-off tuning doesn’t scale
to hundreds of detections
11. Problem #3 — No Support for Common Patterns
▪ Common enrichments or exclusions
▪ Creating and using statistical
baselines
▪ Write detection test using scalatest
Things People Often Do
(but must write code for)
…everyone implements in
a different way
…fixes/updates must be
applied in 10 places
14. Input
▪ All detection begins with input loading
▪ Pass in inputs through config object
▪ External control through config
▪ decide spark.read vs .readStream
▪ path, schema, format
▪ no hardcoding -> dynamic input
behavior
▪ Abstracts away details of getting data
^^^ This should not change if
someDataset is a production table
or test sample file
15. Detection and Alert Abstraction
▪ Logic is described
in form of Spark
DataFrame
▪ Supports additional
post-processing
transformation
▪ Basic interface for
consumption by
other code
Detection
val alerts: Map[String, Alert] =
Alert
val modules: ArrayBuffer[Transformer] =
def PostProcessor(input: DataFrame): DataFrame = ???
def df: DataFrame = /* alert logic here */
val config: DetectionConfig
Input and other runtime configs
Test generation
16. Emitter
▪ Takes output from Alert and send them elsewhere
▪ Also schedules the job in Spark cluster
Alert
MemoryEmitter
FileEmitter
KinesisEmitter
DBFS on AWS S3
In-memory Table
AWS Kinesis
17. Config Inference
▪ If things can (and should) be changed, move it outside of code
▪ eg. detection name, description, input dataset, emitter
▪ Where possible, supply a sane default or infer them
val checkpointLocation: String =
"dbfs:/mnt/defaultbucket/chk/detection/ / / .chk/"
name = "CodeRed: Something Has Happened"
alertName = "JoshsCoolDetection"
version = "1"
DetectionConfigInfer
18. Config Inheritance
▪ Fine-grained configurability
▪ Could be multiple Alerts in
same Detection
▪ Individually configurable,
otherwise inherit parent
config
Detection
Alert
val config: DetectionConfig
Alert
Alert
19. Modular Pre/PostProcessing
▪ DataFrame -> DataFrame transform
applied to input dataset
▪ Supplied in config
▪ Useful for things like date filtering
without changing detection
Preprocessing
Postprocessing
▪ Mutable Seq of transform functions
inside Detection
▪ Applied sequentially to output
foreachBatch Transformers
▪ Some operations not stream-safe
▪ Where the crazy stuff happens
20. Manual Tuning Lifecycle
▪ Tuning overhead scales
with number of detections
▪ Feedback loop can take
days while analysts
suffer :(
▪ This need to be faster…
ideally automated and self-
service
The data/
environment
changes
DE tweaks
detection
False positive
alerts
Analyst
requests
tuning pain
22. Complex Exclusions
▪ Arbitrary SQL expressions applied
on all results in forEachBatch
▪ Stored in rev-controlled TSV
▪ Integrated into Detection Test
CI…malformed or over-selective
items will fail tests
▪ Preservation of excluded alerts in
a separate table
Eventually, detections look like this >>>
So….
23. Repetitive Investigations…What Happens?
• Analysts run queries
in notebooks to
investigate
• Most of these
queries look the
same, just different
filter
Analyst Review
Alert Orchestration System
24. Automated Investigation Templates
▪ Find corresponding
template notebook
▪ Fill it out
▪ Attach to cluster
▪ Execute
Alert Orchestration
System
Workspace API
25. This lets us automate useful things like…
Interactive Process Trees in D3 Baselines of Typical Activity
26. Automated Containment
Machines can find, investigate, and contain issues without humans
Automated Investigation
Alert Orchestration System
ODBC API
• Run substantiating
queries via ODBC
• Render verdict
Contain
Issue
27. Detection Testing
Why is it so painful?
▪ Preserving/exporting JSON
samples
▪ Local SparkSession isn’t a real
cluster
▪ Development happens in
notebooks, testing happens in
IDE
▪ Brittle to even small changes
to schema, etc
28. Detection Functional Tests
▪ 85% reduction in test LoC
▪ write and run tests in
notebooks!
▪ use Delta sample files in
dbfs, no more exporting
JSON
▪ scalatest generation using
config and convention
Trait: DetectionTest
^^ this is a complete test ^^
29. Detection Test CI
Git PR
CI System
Test
Notebooks
Workspace API
/Alerts/Test/PRs/<Git PR
number>_<Git commit
hash>
Jobs API
Build
Scripts pass/fail
“Testing has never been this fun!!”
— detection engineers, probably
30. Jobs CI — Why?
▪ Managing hundreds of jobs in Databricks UI
▪ Each job has associated notebook, config, dbfs files
▪ No inventory of which jobs should be running, where
▪ We need job linting >>>
32. Deploy/Reconfigure Jobs with Single PR
CI System
Config Linter
Stacks CLI
Jobs Helper
Deploy Job/
Notebooks/Files
Kickstart/Restart
Set Permissions
33. Cool Things with Jobs CI!
▪ Deploy or reconfigure many
jobs concurrently
▪ Auto job restarts on notebook/
config change
▪ Standardization of retries,
timeout, permissions
▪ Automate alarm creation for
new jobs
^^^ No one likes manually crafting
Stacks JSON — so we generate it
35. Problem #1 — Cyclical Investigations
▪ Alert comes in, analysts spend hours
looking into it
▪ But the same thing happened 3
months ago and was determined to be
benign
▪ Lots of wasted cycles on duplicative
investigations
36. Problem #2 — Disparate Context
▪ Want to find historical incident
data?
▪ look in many different places
▪ many search UIs, syntaxes
▪ Manual, slow & painful
▪ New analysts won’t have
historical knowledge
37. Problem #3 — Finding Patterns
Which incidents relate to other
incidents?
Do we see common infrastructure,
actors?
How much work is repeated?
Case #55557
Case #44447
Case #33337
}(Some IP Address)
38. Solution: Document Recommendations
▪ Collect all incident-related
tickets, correspondence, and
investigations
▪ Normalize them into a Delta
table
▪ Automate suggestion of
related knowledge using our
own corpus of documents
Emails
Tickets
Alerts
Notebooks
Detection Code
Wikis
39. “Has This Happened Before?” -> Automated
Includes analyst comments and
verdicts
displayHTML suggestions,
clickable links to original document
41. Anatomy of an Alert
These are not valuable for search! (too
common)
These are good indicators of document
relevance
42. Entity Tokenization and Enrichment
IP Address
Regex
Domain
Hashes
Accounts
Serials
UDIDs
File Path
Emails
MAC Addresses
Alert Payload
VPN Sessions
Enrichments
DHCP Sessions
Asset Data
Account Data
43. Suggestion Algorithm
▪ Gather match statistics for each
entity:
▪ historical rarity
▪ document count rarity
▪ doc type distribution
▪ Compute entity weight based on
average ranked percentiles of those
features
▪ More common terms == less
valuable
▪ Return the best n hits by confidence
▪ Not That Expensive™