Sinfonier Storm  Builder  for  Security  Intelligence

Fran  Gomez @ffranzLeonardo  Amor @LeoAmorV

Storm Builder for Security Intelligence

Connecting information, delivering intelligence“ ”

Telefonica Group

4

21Countries

>340m Customers

120.000 Employees

50.377mIncome

Our Employees

5

• Mostly:• Telco engineers• Computer Science• Engineers• ….• Science or Scientist people

But there also space to:

6

• Lawyers• Business

administration• Economist• Psychologist • Philologist

Diversity

7

Diversity

8

Ideas explosion

9

10

üUnfortunately yet not everyone knows to codeüFortunately everyday schools are getting it should be one more basic class

But… Why we need to code?

11

June 2015 Cover• Hot topic• +- 2020 Digital natives workforce

How we are introducing code in our kids?

The need of visual coding

12

Big Data

13

Data Visulization

14

15

Real Time Processing

16

“Apache Storm is a free and open source distributed real time computation system.Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch processing. Storm is simple, can beused with any programming language, and is a lot of fun to use! “

http://storm.apache.org/

Where used

17

18

• Extremely broad set of use cases• Scalable• Guarantees no data loss• Extremely robust• Fault-tolerant• Programming language agnostic

19

Sinfonier

20

Le chiffonnier est un meuble àtiroirs apparu sous la Régence. Ilest destiné à ranger le linge. Ilest le plus souvent plus haut quelarge et possède généralementun marbre en guise de dessus.

21

Sinfonier is a change in the focus in respectto current solutions in the area of processinginformation in real-time. We combine aneasy-to-use interface, modular andadaptable, and we integrate it with anadvanced technological solution to allow youto do the necessary tune up suitable for yourneeds in matters of information security.

Sinfonier is borne out of the cooperation andknowledge, where any work can be re-usedand the efforts are done in improving theprocessing and collection of the newinformation which is generated.

Our Open project to stream processing

22

=

Drag & DropInterface

AutomaticDeploy API

StormCluster

Visual Progamming

23

Modules

24

Topologies

25

DRAIN

BOLT

SPOUT

BOLT

DRAINDRAIN

SPOUT

Topology life cycle

26

Topology life cycle

27

Canvas

User Tools Context Info

Topology life cycle

28

Advantages

29

Collaborative scheme

Enable automation through actionable intelligence thanks

to a flexible integration framework

Facilitate generation,

enrichment and dissemination of

cybersecurity data

Leverage on structured

cyber security data output

normalization

Some Modules

30

Some Modules

31

Adding Knowledge: Modules

32

• Name: Your module name. Must be UpperCamelCase

• Icon: Add an image.• Entity: In order to catalog.• Type: Choose your type of module. Spout,

Bolt and Drain. Won’t be change.• Language: Java or Python• Code: Url point to Gist.github.com• Description: Describe what you module do.• Fields: Declare your parameters.

Adding Knowledge: Modules

33

GIST LOGO

Sharing information – The need of standards

34

Sharing information – The need of standards

35

• TAXII™, the Trusted Automated eXchangeof Indicator Information;

• STIX™, the Structured Threat InformationeXpression; and

• CybOX™, the Cyber Observable eXpression.

https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity

Information Sharing Specifications forCybersecurity

But really what we see lately?

ACNS

Mostly:Not standards at all…

Automated Copyright Notice System (ACNS) 2.0

20% Rejected due to missing information

ARFAbuse Reporting Format (RFC5965)

37

Time to Play

Mobile Threats

38

Mobile Threats

39

Mobile Threats

40

Mobile Threats

41

42

PRODUCTION

MSS

43

Security Service Portals

InformationTelefonica´s Proprietary Technology

Technology Global Local

BIG DATASecurity Analytics Sinfonier

Threats Antifraud VulnerabilitiesTicketing

InformationSecurity Alerts

Security Web Portals OB Ticketing Tool

SIEM

Availability Information

Health Supervision

Alert s

Supervision Tool

Saqqara CA/SC

Saqqara RA

Saqqara Broker

Saqqara DashboardReal Time Dashboard with:• Executive views with critical active incidents

and ticketing information• Full overview of SLA performance and security

indicators continuously available on the web portal

• Configurable dashboards according to user needs• Document Management System

GRC• Legal and regulatory compliance

management• Risk management• Business process modeling• Business continuity management• Configurable dashboards with

management metrics and indicators

…

Global Local Local Local

Local

Local

Global

Global

Cybersecurity Services Managed Security Services

Tool

s, P

roce

sses

and

Pe

ople

Real

Tim

e Pr

oces

sing

Diff

eren

tPr

esen

tati

onsThreat Detection

Antifraud

Vulnerability Management

Global

MSS

44

kafka

saqq-avail

saqq-health-alarm

saqq-ticket

saqq-security-

alarm

Select Data Source

1

saqq-ticket

Ticket_idAlarm_id

saqq-security-alarm

Alarm_id

Detectiondate

Notificationdate

BIG DATACASSANDRA

NotificationTime =

Notification date -Detection date

Process data

2 ProduceResults

3

Saqqara Dashboard

MATCH Alarm_id

In real time

Cyber Security

45

PersistenceAnalytics

Queue

Real TimeProcessing

Ingestion

InternalInformation

DataExploitationVisualization

FiWare

46

47

Join us

Sinfonier-project Community

48

Join us: sinfonier-project.net

@e_Sinfonier@ffranz @LeoAmorV

“ ”All knowledge is connected to all other knowledge.

The fun is in making the connections

Arthur Aufderheide