Blog Post

Rocana's Approach to Operational Awareness – Part II

May 7, 2015 Author: Don Brown

In my previous post, I talked about a new approach to security and the role of security monitoring in that approach. Rocana software aids in full stack monitoring. Out of the the box, Rocana monitors all machine data, a virtually infinite number of metrics and derived metrics and overlays synthetic data, all in real time from your IT infrastructure and applications. It does so at a reasonable, predictable cost on an open platform. Rocana also feeds enriched data into point solutions.


In the above, all data sources are represented on the left, and consumed either via an agent directly on the data generating system, REST API, log4j appenders, syslog, native Rocana API (Java). Rocana provides a flexible schema that allows for the consumption of nearly any type of data, and leverages Kafka to provide a publish-subscribe services for message transport into our Event Data Warehouse. On the far right, a few screen captures of the Rocana application can be seen and is the primary entry point for operators into the system. Important to note however, is the downward pointing arrow coming out of the Event Data Warehouse box. Here again, we leverage Kafka as the transport to push either the full firehose of raw events, or more typically, a pruned or transformed feed to downstream point solutions for deep, domain specific analysis.

We’ve seen this pattern emerge again and again within our customer base, most commonly around offloading powerful, purpose built SIEM tools like Splunk, Arcsight or QRadar. Customers will typically use Rocana as the single pane of glass into their IT systems for ITOA and triage, and then use the facilities we have built into the system to pass a filtered stream of data to these point solutions. This allows the customer to accomplish a few goals:

Capture and retain all data, remaining beholden only to the cost of the underlying hardware, not software licenses
Lower the total amount of data as well as the retention period of the above described solutions (which has the added benefit of allowing those systems to become performant again)

So we’ve now created a reasonable separation of duties: event collection, IT triage and generic anomaly detection happen in the Rocana platform and the purpose built threat analyses happens in the SIEM platforms. This enables our IT staff to have full visibility into the lowest level goings on of their infrastructure without disrupting current workflows. While SIEM’s are the most frequent downstream consumer of data, we also see people integrating with ticketing systems like ServiceNow, alerting tools like PagerDuty, etc.

It should be readily apparent now, that while this is obviously a non-trivial effort, it is an absolute necessity to operate in a world with incredibly sophisticated, persistent attackers, sometimes even state sponsored. Providing mere glimpses into the datacenter is simply no longer sufficient to stop these determined, well funded threats, you need high fidelity optics into all your operational data and the ability to integrate easily with purpose built solutions, and Rocana provides that out of the box on a platform you already likely have in house.