Blog Post

Rocana Ops: The Foundation Every SIEM Environment Needs

June 13, 2017 Author: Bryan Rapp

A SIEM tool is the foundation of any mature Security Operations Center (SOC). These tools have operated over the past 15+ years by collecting identified security log sources and then applying correlation rules or saved searches. As the demand for 100% event collection from all business and operational sources has increased due to compliance and incident response requirements, traditional SIEM solutions have struggled to adapt because of scale challenges or onerous software licensing schemes.


We recognized this demand and struggle early on, which is why we developed a solution that solves both the scale and cost issues presented by traditional SIEM tools. Rocana Ops allows customers to collect 100% of its security data no matter the source or volume, while allowing SOC teams to continue using existing workflows already defined in tools like ArcSight, for example. The security event data, whether from network, host, wire, or synthetic sources, can also be viewed using a single interface alongside other enterprise event sources, such as application, database, web, and middleware systems.

Rocana Ops gives security operators the ability to see the full context of all event information resulting in faster and more accurate responses. Additionally, ArcSight and other applications can be forwarded required event sources and/or types for processing by existing correlation rules and tools.

Rocana Ops: The First Stop for All Enterprise and Security Event Information

Using agent and agentless collection methods (flat files, syslog, statsD, netflow, Windows, Kafka, etc.) Rocana Ops becomes the first stop for all enterprise and security event information. Utilizing the linear horizontal scaling capabilities of Apache Hadoop, Rocana Ops is not constrained by volume or retention schedules which affect traditional solutions. Events can be stored for months or years, and searched with speed using Rocana Search – the purpose-built search engine for time series data.

Security teams must often cherry pick event sources due to sheer volume, which again presents scale and volume-based pricing challenges. These rich sources of information are therefore routinely “left on the floor” and are not available for security correlation. Rocana Ops allows these event sources, in concert with all other security sources, to finally be collected on a single platform. Some of these voluminous sources include:

  • DNS
  • Netflow
  • Windows audit events
  • Wire data capture

In addition to the ingestion, indexing, searching, and visualization of the entirety of enterprise event data, Rocana Ops can also direct curated event streams of security specific data to unique Kafka topics for ingestion by a downstream SIEM tool like ArcSight. This event flow allows security operators to continue using tools and workflows that are familiar, while having the ability to view the full context of contemporaneous enterprise event activity should it be needed during an investigation. Faceted, click-based searches also allow operators to quickly select individual event sources for quick isolation and identification, as depicted in the diagram below.


Figure 1: Rocana Ops Faceted Search by Individual Service

The diagram below describes the event flow into Rocana, and the curated event stream into ArcSight:


Figure 2: Rocana Event Flow with Enrichment and ArcSight Curated Feeds. Rocana Search enables faceted search for fine grain analysis. In this example, showing events from Vxpa.

By using this event capture and flow methodology, customers can achieve their goal of 100% event collection. The underlying Hadoop architecture scales to meet the largest ingestion and retention requirements, and the user-based pricing of Rocana Ops assures that the business can break free from traditional volume-based “taxing” models. Several Rocana customers have reduced their existing SIEM license costs by utilizing the curated feeds strategy, while still capturing the entirety of event data across the environment.

Business Outcome

In one real world example, a Fortune 20 retailer was able to leverage a curated event feed from Rocana to reduce their Splunk ES (Enterprise Security) footprint from 3TB to 500GB a day. Rocana immediately saved them $1 million in OpEx spending and they gained a vehicle for ingesting more than 100TB a day into the Rocana Ops platform.

Learn More...

Read the White Paper: Next-Gen Event Management