|By Gorka Sadowski||
|January 10, 2012 06:00 AM EST||
Performance Tolls - Why you cannot correlate 100% of your logs...?
Compounding the combinatory explosion in the number of static-based correlation rules, it is impossible to correlate 100% of all your logs, it is just too expensive and not practical. Read on...
A correlation engine works really hard, even when dealing with a limited set of scenarios:
- Each scenario requires lots of rules and exceptions, and most of these rules need to be interpreted further as dozen, if not hundred of simple checks and tests. For example, you may want to flag loops with a simple rule such as "IP Origin" = "IP Destination". If you have 1 000 logs this means that for each log you need to do 1 000 tests. Imagine having a million logs, a trillion logs, which is not uncommon on a medium sized infrastructure over a couple days.
- Each scenario requires state information to be kept and managed for hours, or even days. For example, you may want to be alerted if A happens then within 1 day B happens and then within 1 day C happens. This means that lots of state information needs to be kept over a 2-day span, the engine is constantly monitoring for A to happen, then as soon as A happens the engine starts the clock and monitors for B, and if B happens within that day then a new countdown starts to look for C, all the meanwhile also constantly monitoring for A so as to start a new A then B then C condition... If A happens a lot, and B also happens frequently after A then the engine will need to store lots of A then B state information while monitoring for all the required C.
- Extremely powerful servers needed to run these rules and their corresponding "if then else" tests and checks when there are lots of logs.
- Vast amounts of temporary memory needed to keep state information in memory and speed up processing while avoiding swapping to disks.
So the correlation engine needs to be fed very carefully, don't give it more than what it can chew or it will essentially run out of resources and die.
Knowing which logs need to be part of scope is an important part of tuning a correlation engine.
No, you cannot ask your correlation solution to manage all of your logs. It's not designed for that. Managing only the most critical ones is already a daunting task for it.
Correlation load for one simple correlation rule over one hour
As an example, let's have a closer look at Attack Scenario 1 - Identity Theft that we elaborated on, and put a threshold of 1 hour for flagging Identity Theft.
Assumptions - at that time, we have:
o 5 logins/sec average from local logins
o 5 logins/sec average from VPN logins
o 1 000 events/sec average total infrastructure
o Logs kept for a total of 1 week - for reporting etc.
Total data space of 1000*3600*24*7 = 604 800 000 events
For each local login event - which is 5 times per second
o Look in the VPN login events - for the past 3600 seconds - and check if that same person logged in through VPN
Total data space of 3600*5 = 18 000 events VPN logins
Total of 18 000 * 5 = 90 000 checks per second
Size of that 1 hour data space in which to perform the 90 000 checks
o 1000 events/sec * 3600 = 3 600 000 events
So, for this one correlation rule:
- Among the 604 million records total for the past week
- Among the 3.6 million records for the past hour
- The Correlation Engine needs to perform:
90 000 database reads and checks per second
While at the same time doing 1000 record writes and inserts per second
- And at the same time, continue collecting, parsing and normalizing, reporting, alerting, "signing of logs", housekeeping and allowing users to log in and use the tool etc etc...
Correlation load for one complex global rule over one day
Imagine now a complex correlation rule that requires the engine to look 100 times per second, and to do this over the full 1-day sliding window.
The assumptions are then:
- Full data space
Same 1 week = 604 800 000 events
- One-day sliding window data space
1000 * 3600 * 24 = 86 400 000 events
- For each correlation rule, we are doing
Number of tests = 100 times per second, look into each record in the 1-day sliding window data space
100 * 86 400 000 = 8 640 000 000 tests per second
That's 8 billion reads per second!!!
Sure you can use tricks and shortcuts to avoid doing all the 8 billion checks, but that gives an idea of the searching power required... for this 1 scenario!!!
Imagine having to enrich this 1 correlation rule with geolocalization information, or somehow putting a dynamic dimension to it.
Imagine having 100's or 1000's of correlation rules, what would be the impact on number of database reads and load?
This is just not practical, and you cannot always solve this problem by throwing more hardware at it.
Did you know that APT attacks can last weeks and months? Stay tuned for what this means for static rule based correlation...
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Sep. 30, 2016 04:00 PM EDT Reads: 3,572
IoT offers a value of almost $4 trillion to the manufacturing industry through platforms that can improve margins, optimize operations & drive high performance work teams. By using IoT technologies as a foundation, manufacturing customers are integrating worker safety with manufacturing systems, driving deep collaboration and utilizing analytics to exponentially increased per-unit margins. However, as Benoit Lheureux, the VP for Research at Gartner points out, “IoT project implementers often ...
Sep. 30, 2016 03:45 PM EDT Reads: 3,656
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
Sep. 30, 2016 03:30 PM EDT Reads: 347
Businesses are struggling to manage the information flow and interactions between all of these new devices and things jumping on their network, and the apps and IT systems they control. The data businesses gather is only helpful if they can do something with it. In his session at @ThingsExpo, Chris Witeck, Principal Technology Strategist at Citrix, will discuss how different the impact of IoT will be for large businesses, expanding how IoT will allow large organizations to make their legacy ap...
Sep. 30, 2016 03:00 PM EDT Reads: 545
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, will discuss how VPaaS enables you to move fast, creating scalable video experiences that reach your ...
Sep. 30, 2016 03:00 PM EDT Reads: 1,234
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life sett...
Sep. 30, 2016 03:00 PM EDT Reads: 3,663
In his session at @ThingsExpo, Kausik Sridharabalan, founder and CTO of Pulzze Systems, Inc., will focus on key challenges in building an Internet of Things solution infrastructure. He will shed light on efficient ways of defining interactions within IoT solutions, leading to cost and time reduction. He will also introduce ways to handle data and how one can develop IoT solutions that are lean, flexible and configurable, thus making IoT infrastructure agile and scalable.
Sep. 30, 2016 03:00 PM EDT Reads: 1,652
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
Sep. 30, 2016 03:00 PM EDT Reads: 3,012
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lea...
Sep. 30, 2016 02:45 PM EDT Reads: 651
24Notion is full-service global creative digital marketing, technology and lifestyle agency that combines strategic ideas with customized tactical execution. With a broad understand of the art of traditional marketing, new media, communications and social influence, 24Notion uniquely understands how to connect your brand strategy with the right consumer. 24Notion ranked #12 on Corporate Social Responsibility - Book of List.
Sep. 30, 2016 02:30 PM EDT Reads: 353
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
Sep. 30, 2016 02:30 PM EDT Reads: 5,253
There are several IoTs: the Industrial Internet, Consumer Wearables, Wearables and Healthcare, Supply Chains, and the movement toward Smart Grids, Cities, Regions, and Nations. There are competing communications standards every step of the way, a bewildering array of sensors and devices, and an entire world of competing data analytics platforms. To some this appears to be chaos. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, Bradley Holt, Developer Advocate a...
Sep. 30, 2016 02:30 PM EDT Reads: 2,465
The vision of a connected smart home is becoming reality with the application of integrated wireless technologies in devices and appliances. The use of standardized and TCP/IP networked wireless technologies in line-powered and battery operated sensors and controls has led to the adoption of radios in the 2.4GHz band, including Wi-Fi, BT/BLE and 802.15.4 applied ZigBee and Thread. This is driving the need for robust wireless coexistence for multiple radios to ensure throughput performance and th...
Sep. 30, 2016 02:15 PM EDT Reads: 1,726
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Sep. 30, 2016 02:15 PM EDT Reads: 1,161
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Sep. 30, 2016 02:15 PM EDT Reads: 726
If you had a chance to enter on the ground level of the largest e-commerce market in the world – would you? China is the world’s most populated country with the second largest economy and the world’s fastest growing market. It is estimated that by 2018 the Chinese market will be reaching over $30 billion in gaming revenue alone. Admittedly for a foreign company, doing business in China can be challenging. Often changing laws, administrative regulations and the often inscrutable Chinese Interne...
Sep. 30, 2016 01:45 PM EDT Reads: 579
Adobe is changing the world though digital experiences. Adobe helps customers develop and deliver high-impact experiences that differentiate brands, build loyalty, and drive revenue across every screen, including smartphones, computers, tablets and TVs. Adobe content solutions are used daily by millions of companies worldwide-from publishers and broadcasters, to enterprises, marketing agencies and household-name brands. Building on its established design leadership, Adobe enables customers not o...
Sep. 30, 2016 01:15 PM EDT Reads: 361
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
Sep. 30, 2016 01:15 PM EDT Reads: 5,164
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Sep. 30, 2016 01:15 PM EDT Reads: 1,287
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
Sep. 30, 2016 01:00 PM EDT Reads: 4,238