Skip to content
This repository has been archived by the owner on May 15, 2019. It is now read-only.

Overview of Apache Spot (Incubating)

Everardo Lopez Sandoval edited this page Oct 6, 2016 · 3 revisions

Purpose and Audience

The overview section provides an understanding of the capabilities and potential business value of the Apache Spot solution. The intended audience are executives or sponsors of security analytics and big data projects in the organization.

The Business of Network Security – The “Port Perspective”

With the arrival of big data platforms, security organizations now can make data-driven decisions about how they protect their assets. Network traffic records captured as network flows, are often already stored and analyzed for use in network management. An organization can use this same information to gain insight into what channels corporate information flows through. By taking into account additional context such as prevalent attacks and protocols considered key to the company, the security organization can develop a strategy that applies the right amount of per-channel risk mitigation based on the value of the data flowing through it. For an organization, we call this “the port perspective”. Two vectors that all organizations should evaluate:

  1. A “wide enough, deep enough” protection strategy that involves both edge prevention and sophisticated detection of unusual behavior
  2. Perform a deep inspection of key protocols, using methods that can scale to the volume of data flowing across that channel.

While inspecting unique and specific flows of data that may be important for individual organizations (i.e. order data or B2B communication on a specific port), all organizations can perform significant risk reduction from the analysis of network flows for #1 and DNS (domain name service) replies for #2.

Spot intends to support this strategy by focusing on “hard security problems” – detecting events such as lateral movement, side-channel data escapes, insider issues, or stealthy behavior in general. It can be deployed incrementally to realize immediate ROI, but is also meant to support an organization’s growth and maturity to achieve complete threat visibility as part of its protection strategy. The chart below compares a growth in investment in storage and compute to the level of detection that can be performed.