Development of services for the Alert Logic

SIEMless Threat Management security system

CLIENT

3 000
organizations use company solutions
0
billion threats are prevented annually.

Alert Logic develops, supplies, and supports hardware-software complexes for the control over enterprise network security. The company headquarters are located in Houston (the state of Texas), USA.

CHALLENGE

Alert Logic and Reksoft have been cooperating since 2007. Earlier, the services for the Threat Manager and Log Manager products were developed. They analysed customer host logs and the incoming traffic in enterprise networks respectively. Following the analysis, the products detected vulnerabilities and ensured security.

In 2017, Alert Logic has felt the need for a more scalable and higher-performing solution. They had to store a constantly growing volume of customer data (over two petabytes of new data a month), to process more than a million messages a second and to ensure a 24/7 operation of several thousand customers. To satisfy these requirements, the decision to develop a new cloud architecture has been made.

Reksoft was charged with the development of services for data search, storage and access.

SOLUTION

For development purposes, the Erlang functional programming language was used. It perfectly fits the implementation of distributed processing systems and allows loading a new code without shutting down the server. This is especially important for Alert Logic because the security system should be up and running 24/7.

In those instances where specialized high-performance low-latency libraries were required, the C and C++ programming languages have been used.

For data processing, AWS Lambda, EC2, ECS as well as other services have been used. The employment of the Amazon cloud infrastructure provided unlimited resources and opportunities in terms of scalability of the system.

For data storage, Amazon S3 has been used. Thanks to it, Alert Logic can, on the one hand, get at any time an extra space to store information. And on the other hand, the company does not have to build a complex and costly infrastructure within its own network for the placement of tens of petabytes of data. All the information is now stored on the Amazon servers.

Reksoft has developed two services as part of the upgraded system:

Data Access

The high-performance and scalable service for encrypted data storage.

Search

The service for quick retrieval of customer data.

Let’s see how it works. The system collects data from different sources, analyses them, generates a series of events, creates incidents on their basis and transfers them to analysts. For example, a customer has entered an incorrect password n times, then got the privileged access and downloaded a file. The following will happen next:

Based on the host log, the system will generate a series of events: an incorrect password has been entered n times, the root access has been granted, the file has been downloaded.
Should suspicious events concur (like in our example), the system will generate an incident.
Analysts will analyse the incident and determine the threat level.
Should a threat be detected, they will prevent it and eliminate a vulnerability.

Let’s summarize:

The development was realized by using the Erlang functional programming language.

It perfectly fits the implementation of distributed processing systems and allows loading of new codes without interrupting the work.

AWS Lambda, EC2, ECS and other services are responsible for data processing.

They ensure the high performance which is required and contribute to cost reduction.

For data storage, Amazon S3 has been used.

The solution provides high scalability without incurring expenses for purchasing and maintaining a complex and costly infrastructure to warehouse the data.

Search and Data Access services have been developed.

They allow doing a search, collecting data on customer activity from host logs and, after analysing it, detecting vulnerabilities.

RESULTS

The upgraded system processes over one million messages per second. The customer base accounts for more than 4,000 customers, 30 petabytes of information are stored on the server.

The services for the upgraded security system have been developed.

They function 24/7 and reliably protect enterprise networks against attacks.

The cloud architecture

ensures high performance and scalability without incurring expenses related to purchasing, setting up, and maintaining additional equipment.

TECHNOLOGIES

  • C/C++,
  • Erlang,
  • Amazon Web Services (EC2, ECS, Lambda, Kinesis, S3, SQS, DynamoDB).

APPROACHES, PRACTICES

  • Big data,
  • High load,
  • DevOps,
  • CI/CD,
  • Microservices Architecture.
Menu