pdf

RSAConf14 - Analytics - OPENSOC.pdf
Rsaconf14 Analytics Opensoc

Presentation on the OpenSOC big data analytics framework.

This page contains AI generated content. Errors or omissions may be present. Use human level critical thinking.
  • Q: What is the primary architectural advantage of 'OpenSOC' compared to traditional SIEMs?
    A: It leverages a 'Big Data' architecture (Hadoop/Kafka/Storm) to separate storage from processing, allowing for horizontal scalability.
  • Q: What specific technology is used for the real-time message bus in OpenSOC?
    A: Apache Kafka.
  • Q: How does OpenSOC handle the 'Enrichment' of telemetry data?
    A: It uses a real-time streaming topology (likely Storm) to tag data with geo-location, threat intel, and asset information before it is stored.
  • Q: What is the 'Analytics Pipeline' described in the presentation?
    A: Ingest -> Parse/Normalize -> Enrich -> Store -> Analyze -> Alert.
  • Q: What is the role of 'HBase' in the OpenSOC architecture?
    A: It serves as the long-term, scalable storage layer for the processed events, allowing for random read/write access.
  • Q: How does OpenSOC address the issue of 'Vendor Lock-in'?
    A: By being built entirely on open-source technologies (Apache stack), allowing organizations to modify and extend the code without vendor dependencies.
  • Q: What is the 'Telemetry' requirement for effective analytics?
    A: Full packet capture (PCAP) combined with rich metadata (NetFlow/IPFIX) and endpoint logs.
  • Q: What is the recommended approach for 'Data Aging' in this big data model?
    A: Using a tiered storage approach: hot data in memory/SSD for immediate analysis, warm data in HBase, and cold data in HDFS archives.
  • Q: What is 'Probabilistic Data Structures' used for in OpenSOC?
    A: To perform high-speed cardinality estimation (e.g., counting unique IPs) on massive data streams with minimal memory footprint.
  • Q: What is the goal of the 'Visualization' layer in OpenSOC?
    A: To provide analysts with a flexible interface (like Kibana) to query and visualize data without needing to write MapReduce jobs.

Ask a question

Have a doubt or need clarification?



I’m here to help. Share your question, and I’ll get back to you with the guidance you need regarding the course.

Thank you!

I have received your message and I shall get back to you shortly.