Get fresh updates from Hortonworks by email

Once a month, receive latest insights, trends, analytics, offering information and knowledge of the Big Data.

cta

Get Started

cloud

Ready to Get Started?

Download sandbox

How can we help you?

closeClose button
Apache Projects
Apache Metron

Apache Metron

MENU

OVERVIEW

Real-Time Big Data Enabled Cybersecurity Analytics

Apache Metron is a big data cybersecurity application framework that enables a single view of diverse, streaming security data at scale to aid security operations centers in rapidly detecting and responding to threats.

What Apache Metron Does

Apache Metron is a streaming analytics application that makes it faster and easier for security operations personnel to do their job. It is a next generation SOC (security operations center) data analytics and response application that integrates a variety of open source big data technologies into a centralized tool for security monitoring and analysis.

It provides the ability to ingest, process and store diverse data feeds at scale, inclusive of security data feeds, logs, network metadata together, with capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform.

Apache Metron Overview

Apache Metron consists of 4 key capabilities

  1. Security Data Lake for a cost effective way to store and combine a wide range of business data with security data…  enriched telemetry and PCAP data for long periods of time. This data lake provides the corpus of data required that powers discovery analytics and provides a mechanism to search and query for operational analytics.
  2. Pluggable Framework provides a rich set of parsers for common security data sources (pcap, netflow, bro, snort, fireye, sourcefire) but also provides a pluggable framework to add new custom parsers for new data sources, add new enrichment services to provide more contextual info to the raw streaming data, pluggable extensions for threat intel feeds, and the ability to customize the security dashboards. Machine learning, and other models can also be plugged into the real-time streams providing huge extensibility.  For example, can easily extend to add custom functionality to transform data with built-in scripting and user-defined functions.
  3. Threat Detection Platform based on machine learning algorithms and anomaly detection that can be applied in real-time as events are streaming in.
  4. Incident Response Application is an evolution of SIEM capabilities (alerting, threat intel framework, agents to ingest data sources) inclusive of packet replay utilities, evidence store and hunting services commonly used by SOC analysts.

Metron’s Benefits to Cybersecurity Personnel

Metron provides the ability to ingest, correlate and store massive amounts of operational and cyber data in a single platform to identify and triage anomalies, benefiting all SOC personnel.

Role Benefit What Metron Provides
CIO/CISO Single view of risk, Improved risk mitigation, Proactive risk strategies A single lens through which all enterprise data can be correlated, inclusive of security, network, telemetry data, as well as business sources such as HR, finance, etc.
Security Engineering Security Processes and tools with a maintainable lifecycle An integrated solution that enables efficiency by combining multiple point tools into a single one
Security Architecture Ensure architecture enables security by preventing threats  An integrated cybersecurity architecture
SOC Analyst Increase proficiency and efficacy Saves months of time typically spent looking at hundreds of thousands of alerts created by noisy rules and signatures
SOC Investigator Removes many steps a traditional SOC environment requires to investigate more complicated attacks like APTs Enriches and correlates enterprise data sources to produce real-time cyber security-related events and alerts

Automatically finds and correlates relevant data and can identify and act upon the unknown

After gaining access to internal user context, hackers no longer appear as normal users on the network

SOC Manager Easier to assign Metron Cases to Analysts. Verifies “completed” Metron cases Automatically creates incidents and cases because there is an integration to workflow and management systems
Forensic Investigator Reduces time lag associated with current big data ingest solutions to transform detection and response to cyber-attack from 8 months to days, or even minutes “Just in time evidence collection response” transforms and transports data in real-time on a massive scale before cybersecurity data is lost or becomes irrelevant
Security Platform Engineer Streamlined operations and efficient maintenance of cyber security tool(s) Single platform to manage and operate the ingestion, processing and interaction of cyber-related data for enterprise locations and critical assets
Security Data Scientist: Easier way to search, hunt and perform data science lifecycle activities The analytics, exposed via model as a service architecture, enables the process of feature engineering, perhaps the most complex aspect of analytics, to become considerably simplified

Forums

Metron in our Blog