In Part 3 of the Apache Metron announcement series, Apache Metron Tech Preview 1 – Come and Get it! , we outlined Apache Metron 0.1 release’s new features and enhancements. Then we demonstrated how to deploy on a single node VM using vagrant and a cloud-based install for a complete 10 node Metron cluster using Ambari blueprints and AWS APIs.
Now that you have a full application for cyber security monitoring, analysis, and threat detection, how do you proceed? Read on!
After running the installer, you should have access to the Metron UI. The UI looks like this:
Metron provides a Kibana-based UI that is designed to be a single pane of glass. It utilizes a big data approach (having all the data available at the same time) to filter through the noise and display the information, alerts, and context that an analyst or investigator views on just one panel. The Metron UI has several advantages over conventional SIEM tools. The difference is in it’s flexibility and extensibility.
Apache Metron helps you find the needle in the haystack (which is what forecasting a breach is like), as well as the context around it. The data is presented cohesively with all the metadata on the same screen, eliminating the need for jumping around from console to console in an attempt to intelligently piece together the right information.
More details on the Metron UI can be found in the following HCC article: Metron UI – Explained
Finding the Needle in the Haystack Use Case
What are the “needle” and the “haystack”? The haystack represents the millions of telemetry events that Metron has ingested, parsed, enriched and analyzed. These events are coming from a variety of telemetry sources and emitting hundreds of alerts from security devices and Metron. The needle represents a handful of critical alerts and related telemetries worthy of an immediate investigation.
The following is an example of a “finding the needle in the haystack” Apache Metron use case:
More Details on HCC
To get more details on the Metron UI and use cases, continue to the following article in the Hortonworks Community Connection: Finding a Needle in the Haystack.
Apache Metron and the Metron logo are trademarks of the Apache Software Foundation. All other trademarks are the property of their respective owners.
Apache Metron is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator PMC. For more information, please visit https://metron.incubator.apache.org/
About the Authors
Bio: George Vetticaden is a Principal Architect at Hortonworks, Senior Product Owner/Manager for Metron/CyberSecurity, and committer on the Apache Metron project. Over the last 4 years at Hortonworks, George has spent time in the field with enterprise customers helping them build big data solutions on top of Hadoop. In his previous role at Hortonworks, George was the Director of Solutions Engineering where he led a team of 15 Big Data Senior Solution Architects helping large enterprise customers with use case inception, design, architecture, to implementation of use cases monetizing data with Hadoop. George graduated from Trinity University with a BA in Computer Science.
(LinkedIn Profile: https://www.linkedin.com/in/georgevetticaden)
Bio: James Sirota is Director of Security Solutions at Hortonworks and committer on the Apache Metron project. Previously James was the Chief Data Scientist at Cisco focused on Big Data security analytics, and spearheaded OpenSOC. His primary expertise is in the design and implementation of Big Data platforms on top of Hadoop, MapReduce, Yarn, Storm, Kafka, Elastic Search and Flume. James holds a Data Science degree, a Master’s in Computer Engineering and is a licensed information security professional.
(LinkedIn Profile: https://www.linkedin.com/in/jsirota )