Cisco has launched its open-source security analytics tool.
Released as the OpenSOC project, the idea is to create a collaborative development project dedicated to providing an extensible and scalable approach to analytics. It bills itself as a “Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center.”
Telemetry sources differ in every organization. The amount of telemetry that must be collected and stored in order to provide enough historical context also depends on the amount of data flowing through the network. Furthermore, relevant threat intelligence differs for each and every individual organization.
OpenSOC is thus designed, Cisco said, “to scale up to consume millions of messages per second, enrich them, run them through anomaly detection algorithms, and issue real-time alerts.”
Participants are asked to contribute open communication for additional features and identification of deficiencies for a stable and functionally usable tool, and to identify key feature enhancements to drive technology efforts around efficient security analytics.
“The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly detection and incident forensics to the data loss problem,” said Pablo Salazar, a Cisco Security Solutions manager, in a blog post.
It borrows elements of the Apache Hadoop Framework, including the Hadoop ecosystem such as Storm, Kafka, and Elastic Search. It has extensible spouts and parsers for attaching OpenSOC to monitor any telemetry source; anomaly detection and real-time rules-based alerts for any telemetry stream; Hadoop-backed storage for telemetry stream with a customizable retention time; automated real-time indexing for telemetry streams backed by Elastic Search; telemetry correlation and SQL query capability for data stored in Hadoop backed by Hive; ODBC/JDBC compatibility and integration with existing analytics tools.
“When we built OpenSOC, one of our goals was to bring all of these pieces together into a single platform,” Salazar said. “Analysts can use a single tool to navigate data with narrowed focus instead of wasting precious time trying to make sense of mountains of unstructured data.”
OpenSOC has two repositories, starting with OpenSOC-Streaming, which contains topologies for processing, enriching, indexing and correlating telemetry messages, PCAP reconstruction service and various other data services. OpenSOC-UI meanwhile is for performing log and network packet analytics, displaying alerts and errors.
Both are open-source under Apache 2.0 License.