Technology Highlights Of. (Medusa)

Transcription

1 Technology Highlights Of CQCloud s NG-SIEM (Medusa)

2 Table of Contents 1. Genesis of Medusa 2. Philosophy of Medusa 3. Medusa At a Glance 4. Medusa Overview 5. Benefits 6. Implementations 1

3 1. Genesis of Medusa by Neil MacDonald April 12, 2011 Information Security is becoming a Big Data problem. By Dennis McCafferty on

4 2. Philosophy of Medusa CQCloud s Medusa is the Roadmap to the Next-Generation Security Platform. Because of Today s security professionals instead face a far more complex set of challenges.. - Rule-based systems are reactive not proactive. - Hacker motivations have been changed. - Data protection, system availability and risk management are all security priorities. 3

5 2. Philosophy of Medusa Now All IT Data is Security-Relevant Biz Vertical Applications Custom Applications Server Logs IPS RAS VPN Border Security Wireless Sec FW Vulnerability Data Anti- Virus Host IDS New Stresses for the Security Team Insider threat, fraud, advanced security threats increasing Need access to wide variety of data sources and types Need to process massive data volumes current and historical Situational awareness a huge challenge Slow, tedious, costly investigations Physical Sec Database Security Sec Windows re gistries Patch Mgmt DLP Host Config Vast Pool of Log Data 4

6 2. Philosophy of Medusa But existing Enterprise Security Solutions... Are too complex to implement, manage and scale Are Very expensive Don t support ad-hoc requests and investigations Can t keep up with dynamic policies Don t integrate well with other IT silos Only work with limited data sources 5

7 3. Medusa At a Glance Roadmap to the Next Generation Security Platform. DDoS Mitigation Service (24x7 SoC) DDoS Provisioning Solutions ( UTTM ) Intuitive Dashboard Modular SIEM for BigData Deep Packet Inspection Solution ( fdpi ) Big Data Engine Total integrated Security Management System CQCloud New Technologies CQCloud Medusa is the total integrated security management solution for ISP/IDC. It support both the traditional SIEM functions and CQCloud s Traffic Analysis technology. Endless roadmap to go to the Next Generation Security Platform endlessly. 6

8 3. Medusa At a Glance How is Medusa Different? Fast. Real-time(every 10 sec.) DDoS Detection & Analysis Scalable. Distributed architecture handles multiple datacenter Flexible. Ad-hoc analysis, correlation, alerting and reporting Adaptive. Keeps up with changing systems and data formats Cost Effective. Pay as you grow licensing minimizes cost Big Data Engine. Works with any data without complex adapters Service Oriented. Targeted for the service providers (customer portal) Intuitive Dashboard. Patented UX technology for text, image and video 7

9 3. Medusa At a Glance Fast - Real-time(every 10 sec.) DDoS Detection & Analysis Detection Network flow data is collected and analyzed for anomalous activity all in under 10 seconds for near real-time DDoS detection. Analysis The traffic dashboards include analytical views for Total Traffic, Protocol, TCP Destination Port, UDP Destination Port, TCP Flag, Source IP Top 10 for quick investigation and event analysis. Control Medusa can be integrated with security devices to issue control commands right from the Medusa console so that administrators can respond to incidents as they happen. Monitoring Comprehensive dashboards provide views and drilldowns on the entire network for real-time event monitoring. 8

10 3. Medusa At a Glance Scalable - Distributed architecture handles multiple datacenter Searcher Header Volume Universal Indexer Searcher Universal Indexer Universal Indexer Searcher Universal Indexer Universal Indexer Medusa s analysis system can be distributed across multiple servers for almost unlimited horizontal scaling. If the volume of collected data increases, another node can be configured and added to the system without any downtime. In this way Medusa as able to collect and analyze anywhere from MB to TB a day. Scaling as needed Network Monitoring DDoS Security Event Medusa SIEM Framework Additional Feature Security as a Service Medusa s system employs a modular architecture so that new features ( like Deep Packet Inspection) and new data sources can be added easily and painlessly. 9

11 3. Medusa At a Glance Flexible - Ad-hoc analysis, correlation, alerting and reporting Customizable Dashboards Medusa s offers a flexible GUI that allows users to customize their views and dashboards to meet their needs. Different users from different teams in the security organization need to look at different metrics in their own context. Medusa allows users to add and create new charts for their dashboards, displaying data in the way that provides the most meaning for them. Ad-hoc Search Medusa s real-time big data engine allows users to query huge amounts of data very quickly. The flexible command language lets them adjust their queries quickly for precise, fast data analysis Drilldowns All parts of the Medusa UI have an action or drilldown related to it so that users can zoom in on any part of their data or follow a trail of data points wherever it might lead. 10

12 3. Medusa At a Glance Adaptive - Keeps up with changing systems and data formats New Devices Collection Target: Windows/Linux/Unix Server, Application Log, Security Device, Network Device, Solution Collection Method: FTP, syslog, SNMP, TCP/UDP, Socket, Shell Script, Windows WMI, Registry, Network Flow Agent : agent and agentless methods are both supported SIEM DDoS Windows Registry Syslog Event Log Shell Script Active Directory File System Changes in Infrastructure Linux/Unix Virtualization Application Database Network Solutions Hyperviser Guest OS Cloud Web Logs Tables Log4J,JMS,JMX Schemas.NET events Audit/Query App Logs Syslog SNMP DLP, DRM Vulnerability CRM, DW Network Flow sflow Netflow Flexible to additional devices, configuration changes, etc. Easily configurable to adjust to any changes in environment Simple authorization management for managing changes in organization 11

13 3. Medusa At a Glance Big Data Engine - Works with any data without complex adapters Scales to Petabytes Medusa s analytics are run on top of a powerful big data engine that can scale from one server to thousands to support collection of data of any size. Deployment and management of the system is fast and easy allowing administrators to get going quickly and start exploring their data. Fast Analytics Medusa s big data engine uses many established paradigms such as Map Reduce and Bloom filters, as well as caching and storing summary data to provide quick, responsive dashboards. Users can browse and drilldown through petabytes of data for truly end-to-end analysis. 12

14 3. Medusa At a Glance Service Oriented - Targeted for the service providers (customer portal) Service Portal Customers can log into the system themselves and see dashboards that are customized for their services so that they can monitor and receive their own alerts. User Management Users can be registered and given authority as an Admin, Group or Customer over their specific domain. Reporting Total, Protocol, TCP Destination Port, UDP Destination Port, TCP Flag and Source IP Top 10 over the last day, week and month are provided by customer. Personalized GUI Customers can tune the UI to their needs to view the metrics that they need in the context that they choose. 13

15 3. Medusa At a Glance Intuitive Dashboard - Patented UX technology for text, image and video Event & Information (Alert, Data, Graph, Chart..) Map (Google Map, ammap and user specific map) Image (CAD, JPEG, TIFF, Illustrator, Photoshop...) Video (CCTV, Streaming) No matter how many CCTV in there. Console (Desktop remote access with control.) 14

16 3. Medusa At a Glance Medusa Use Case Medusa for Global standard SIEM Medusa collect the data the former SIEM doesn t support Medusa is not just SIEM. I can do much much more. Event collect from 13 global branches Real-time correlate with Arbor, FireEye, FW, Web & Network events Medusa for DDoS Protection System Detection per minute (since 2003) Handled with 300G+ traffic simultaneously Combined with Full Packet Capturing technologies (pcap) ACL/BGP Provisioning Planning for Big Data handling now Global Security Operation Center Managing entire SAMSUNG branch office In World wide Central Security Operation Center KT DDoS Detection/Analysis/Provisioning System Medusa replace traditional SIEM Medusa for DDoS 15

17 4. Medusa Overview System Architecture Traffic Monitoring Packet Inspection DDoS Detection Event Analysis Universal Correlation Incident Management Report/Statistics Compliances Security Administrator Medusa Application Server Universal Analyzer Collect Server ISP/IDC Network Server Status (cpu,memory) Malware Virus Information Vulnerability Scan Report Access Event Intrusion Event Access Control Event Contents Inspection Data sflow Server Anti-Virus Vulnerability Scan VPN IDS/IPS Firewall Packet Inspection Flow generator Various Types of Security Event Sources 16

18 4. Medusa Overview Key Features Network Protection End User Protection Access Protection Security Compliance Consolidate Anti-DDoS & SIEM Security Event Collect/Analysis functions are fully integrated with Network Monitoring & DDoS Protection functions. No Scheme, No Parser Incident Manage It is not required scheme and parser to index events data in Medusa system. Indexer of Medusa can index any format of log data without additional parser or scheme. No RDBMS required Correlation To collect the security events, and to store the indexed data, additional RDBMS is not required in Medusa system. Unlimited Extensible Indexer Security Events DDoS Detection Universal Indexing Flow Data Medusa Indexer can be configured in the distributed environment. If the indexed volume of events is increased by time, User can configure the additional index nodes in real-time without downtime. Medusa can index the event data from MB to PB per day. Integrated Security Management Platform 17

19 4. Medusa Overview Layered Structure MEDUSA SYSTEM MEDUSA Integrated Dashboard (INNOWATCH) Apps DDoS Detection ( UTTM/dmz ) Security Information Correlation Manager Security Event Manager ( SEM ) Cloud Proxy Manager Contents Analysis ( fdpi ) MEDUSA (SIEM) MEDUSA(DDoS) BigData Engine Analyzer Universal Analyzer Cloud Proxy Flexible DPI Collection Flow Collector Log/Data Collector State Collector Contents Collector sflow Syslog Log File Health Check Contents Data Meta-Data Sources Flow Generator (UX-FX-100,1000) Log Forwarder Cloud Proxy Server ( CQCloud cproxy ) Deep Packet Inspect ion (fdpi ) 18

20 5. Benefits Be a Managed Security Service Provider with best-breed Next-Generation Security Platform Highly Scalable (License Model), Flexible, Available Real On-Demand and fully customized solution Differentiated(fastest) Anti-DDoS solution with Price competitiveness Minimum Initial Investment Quick ROI (Pay per Use Licensing) 19

21 6. Implementation System Sizing Recommendation # of customers Flow Data / day (1) # of Collector Local Storage Indexer Storage (2) Collector Server MB 1 ( 4 thread ) 300 GB 1 TB, 1 indexer MB 2 ( 8 thread ) 600 GB 2 TB, 1 indexer GB 3 ( 12 thread ) 1 TB 3 TB, 2 indexer GB 4 ( 16 thread ) 2 TB 5 TB, 2 indexer Indexer # of customers Events / seconds (3) # of indexer # of Application Servers concurrent user (4) & Application Server 10 10,000 1, shared (5) N/A , , , ) CQCloud UX-FX 100/1000 Flow Generator support packet sampling rate. In this case 100:1 sampling is applied. And flow aggregation period is configured 1 minute. ( Collector server can reduce the flow aggregation period to 10 seconds. For this case, flow data volume will be increased ) 2) Flow data collected in the collector server will be send to the indexer. So additional indexer s storage required. Medusa system is more affected by the volume of events, rather than counts of events. For the case of 10 customers, 1 GB events can be indexed per day by default. Concurrent user means the number of medusa operators who are connected application server at the same time. For the small systems, Medusa application can running on the indexer. In this case, additional application server not required. 20

22 6. Implementation H/W Recommendation Collector Sever Indexer Application Server Operating System Standard Linux x 64 (kernel 2.6) (2) ( recommend CentOS 5.x ) CPU Intel based x64 4 Core x GHz over Intel based x64 4 Core x GHz over Intel based x64 4 Core x GHz over Memory 16 GB 16 GB 8 GB HDD Logical 600 GB SAS 10k rpm RAID 0 Logical 1.2 TB over SAS 10k rpm RAID 1/ I/O operation/sec Logical 600 GB SAS 10k rpm RAID 0 NIC Standard 1 GB Ethernet, Optional 2 nd NIC for management 1) In the sizing recommendation described previous page, this recommended servers are applied. 2) This is only recommendation. Medusa system can running on the various operating systems, such as, Solaris, HP/UX, AIX, and Windo ws Server. 21

23 Medusa System Framework Layer Function Contents Role Presentation Dashboard (workflow) Network Traffic Event Insight Incident Report Logs Sur. Event Security Customer Portal (Access control) SoC & NoC Situation Room Views (Functions) Traffic DDoS Event Incident Posture Access Forensic Operator (CQCloud & ISP/IDC) Operation Rule (Search) Traffic Monitoring Event Correlation DDoS Detection Incident Mgmt. Event Analysis Custom rules Operator (CQCloud) Solution Normalize (Modeling) Index Collect Universal Indexer, Traffic Analyzer Universal Collector Flow Collector Administrator (CQCloud) Infra (Sources) ISP/IDC Network Infra Srr Security Network Customer ISP/IDC 22

24 We Create the Secure Cloud World Thank You!