Cisco announced today that it has made available through open source a framework that integrates data analytics tools into security operations.
“The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly detection and incident forensics to the data loss problem,” wrote Pablo Salazar, a Cisco Security Solutions manager in a blog post this morning.
OpenSOC borrows some tools from Hadoop, open source software that processes large collections of distributed data for analysis. Those tools include: Kafka, a message broker; Storm, a real-time computation system; and Elasticsearch, which simplifies searches among large data sets.
On top of those capabilities, OpenSOC runs full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real time search and telemetry aggregation, and a platform built for analysts who are charged with responding to incidents as they occur.
Salazar said OpenSOC will allow organizations to capture, store and normalize security telemetry at high rates, and then forwards that data to processors where analytics are performed.
“It provides visibility and the information required for successful investigation, remediation, and forensic work,” Salazar said.
OpenSOC can also be used to correlate and process threat feeds and other intelligence sources, as well as DNS and geolocation data.
“The immediate application of this information to incoming telemetry provides the greater context and situational awareness critical for detailed and timely investigations,” Salazar said.
For analysts, OpenSOC provides alert summaries that include information and threats and advanced search of packets with having to move between more than one tool.
“When we built OpenSOC, one of our goals was to bring all of these pieces together into a single platform,” Salazar said. “Analysts can use a single tool to navigate data with narrowed focus instead of wasting precious time trying to make sense of mountains of unstructured data.”
The framework can be customized for respective security organizations and networks, Cisco said.
“It can be tailored to ingest and view any type of telemetry, whether it is for specialized medical equipment or custom-built point of sale devices,” Salazar said. “By leveraging Hadoop, OpenSOC also has the foundational building blocks to horizontally scale the amount of data it collects, stores, and analyzes based on the needs of the network.”