Use Case Track  

Hunting for Attack Chains in Event Streams

Arctic Wolf Networks processes over 9 billion events a day across its customer base. These represent HTTP and DNS transactions from customer networks, log lines from customer infrastructure devices like firewalls and switches, Active Directory event logs, logs from cloud services such as Office 365, and more. It is critical for our security engineers to quickly pick out the small subset of these events that represent security threats facing our customers.

Further, effective threat detection requires the ability to detect a sequence of related events. One example is detecting a certain threshold of login failures within a time period followed by a successful login, which might indicate a successful attempt to brute force a user account. Another is the download of an executable payload followed by an HTTP POST request to a suspicious site. In both these cases, the sequence of events taken together presents a stronger indicator of compromise than each of the individual events. Arctic Wolf Networks implemented this functionality by integrating Flink with EsperTech’s Esper Complex Event Processing streaming analytics engine.

We greatly benefited from Flink’s ease of deployment and horizontal scalability, while its configurable thresholds for event lateness were crucial in enabling us to handle heterogeneous customer data sources that are not all in sync. Meanwhile, Esper offered a mature, highly expressive, and performant Complex Event Processing framework, a good fit for the flexibility required to express the logic desired by our security engineers. Together, Flink and Esper enhance our security engineers’ visibility into threats faced by our customers and reduce the time investment needed to identify these threats, allowing for more comprehensive and responsive customer service.

Authors

Ray Ruvinskiy
Ray Ruvinskiy
Arctic Wolf Networks

Ray Ruvinskiy

Ray has been with Arctic Wolf Networks for 6 years, joining when the wolves were but pups. Over the years, Ray has worked on a number of services making up the distributed system that backs Arctic Wolf Networks’ CyberSOC service. He currently leads the Detection Automation team, where he’s focused on improving Arctic Wolf Networks’ threat detection capabilities. Prior to Arctic Wolf Networks, Ray worked at Blue Coat Systems (since acquired by Symantec) and Sybase (since acquired by SAP).

Jonathan Walsh
Jonathan Walsh
Arctic Wolf Networks

Jonathan Walsh

Jonathan is an 8 year veteran of the cyber security industry, with a degree in Computational Mathematics and CISSP and GCIH security certifications. His interests lie in the intersection of mathematics and security.