What is apache metron?

Apache Metron is advanced security analytical framework offers a centralized tool for security monitoring. Apache Metron applications are useful for advanced security analytics on streaming data. This framework provides organizations the ability to ingest, process and stores diverse security data feeds at scale in order to monitor, detect and respond to cyber anomalies.

Features of Apache Metron are:

  1. Data Ingestion – Ingest data from disparate telemetry sources into single system
    1. PCAP, NetFlow, IDS, Email archives, server logs, enrichment data
  2. Stream processing – Normalisation, enrichment and alerting in real time
  3. Indexing for visualization – SIEM functionality
  4. Long-term storage in data vault – Like forensics ad deep discovery

Four key capabilities of Apache Metron:

Security Data LakeIt is a cost-effective way to store and combine a wide range of business data with security data and Enriched telemetry and PCAP data for long periods of time. This data lake provides the corpus of data required that powers discovery analytics and provides a mechanism to search and query for operational analytics. Apache Metron can perform real-time enrichment of telemetry data as it is consumed. To highlight this feature, all of the IP address fields collected from the default sensor suite were used to perform geo-IP lookups. This data was then used to pinpoint each location details for further analysis.

Pluggable Framework Provides a rich set of parsers for common security data sources (pcap, netflow, bro, snort, fireye, sourcefire) but also provides a pluggable framework to add new custom parsers for new data sources, add new enrichment services to provide more contextual info to the raw streaming data, pluggable extensions for threat intel feeds, and the ability to customize the security dashboards. Machine learning and other models can also be plugged into the real-time streams providing huge extensibility.

For example, can easily extend to add custom functionality to transform data with built-in scripting and user-defined functions. Snort is a network Intrusion Detection System (NIDS) that is being used to generate alerts identifying known bad events. Snort relies on a fixed set of rules that act as signatures for identifying abnormal events.

Threat Detection PlatformBased on machine learning algorithms and anomaly detection that can be applied in real-time as events are streaming in.

The bro Network Security monitoring is extracting application- level information from raw network packets. For example, extracting HTTP(s) request being made over the network. Bro is extracting DNS requests and responses being made over the network and stores in the PCAP file. Understanding who is making those requests, the frequency and types can provide a deep understanding of the actors present on the network.

Incident Response Application – is an evolution of SIEM capabilities (alerting, threat intel framework, agents to ingest data sources) inclusive of packet replay utilities, evidence store and hunting services commonly used by SOC analysts.

Reduces incident response time by having everything in one place eliminates the overhead of manual tasks and enriches data provided context, faster understanding of what you are dealing with

Benefits of apache metron:








Deployment models

  • Cloud Installation on AWS EC2
  • On-Premise Servers
    • Metron Install on Ubuntu/Debian single-node VM
    • Metron Install on bare-metal install on Centos 6/Centos 7