Mozdef - Mozilla Venture Defence Platform
The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites similar metasploit, armitage, lair, dradis as well as others are readily available to assistance attackers coordinate, part intelligence as well as finely melody their attacks inwards existent time. Defenders are normally express to wikis, ticketing systems as well as manual tracking databases attached to the destination of a Security Information Event Management (SIEM) system.
The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the safety incident treatment procedure as well as facilitate the real-time activities of incident handlers.
Goals
High level
- Provide a platform for utilisation past times defenders to chop-chop honour as well as answer to safety incidents.
- Automate interfaces to other systems similar firewalls, cloud protections as well as anything that has an API
- Provide metrics for safety events as well as incidents
- Facilitate real-time collaboration with incident handlers
- Facilitate repeatable, predictable processes for incident handling
- Go beyond traditional SIEM systems inwards automating incident handling, information sharing, workflow, metrics as well as response automation
- Offer micro services that brand upward an Open Source Security Information as well as Event Management (SIEM)
- Scalable, should live able to induce got thousands of events per second, supply fast searching, alerting, correlation as well as induce got interactions betwixt teams of incident handlers.
MozDef aims to supply traditional SIEM functionality including:
- Accepting events/logs from a diverseness of systems
- Storing events/logs
- Facilitating searches
- Facilitating alerting
- Facilitating log management (archiving,restoration)
It is non-traditional inwards that it:
- Accepts alone JSON input
- Provides y'all opened upward access to your data
- Integrates with a diverseness of log shippers including logstash, beaver, nxlog, syslog-ng as well as whatever shipper that tin post JSON to either rabbit-mq or an HTTP(s) endpoint.
- Provides slow integration to Cloud-based information sources such equally cloudtrail or guard duty
- Provides slow python plugins to manipulate your information inwards transit
- Provides extensive plug-in opportunities to customize your number enrichment stream, your warning workflow, etc
- Provides realtime access to teams of incident responders to permit each other to meet their piece of employment simultaneously
Architecture
MozDef is based on opened upward source technologies including:
- Nginx (http(s)-based log input)
- RabbitMQ (message queue as well as amqp(s)-based log input)
- uWSGI (supervisory command of python-based workers)
- bottle.py (simple python interface for spider web asking handling)
- elasticsearch (scalable indexing as well as searching of JSON documents)
- Meteor (responsive framework for Node.js enabling real-time information sharing)
- MongoDB (scalable information store, tightly integrated to Meteor)
- VERIS from verizon (open source taxonomy of safety incident categorizations)
- d3 (javascript library for information driven documents)
- dc.js (javascript wrapper for d3 providing mutual charts, graphs)
- three.js (javascript library for 3d visualizations)
- Firefox (a snappy piffling spider web browser)
Frontend processing
Frontend processing for MozDef consists of receiving an event/log (in json) over HTTP(S), AMQP(S), or SQS doing information transformation including normalization, adding metadata, etc. as well as pushing the information to elasticsearch.
Internally MozDef uses RabbitMQ to queue events that are nevertheless to live processed. The diagram below shows the interactions betwixt the python scripts (controlled past times uWSGI), the RabbitMQ exchanges as well as elasticsearch indices.
Status:
MozDef is inwards production at Mozilla where nosotros are using it to procedure over 300 1000000 events per day.