In 2012, we started making a new big product to replace MaxPatrol 8 . Within the company, he received the nickname MaxPatrol X. By that time, we had an understanding that it was possible to make a qualitatively new product only by completely changing the approach to solving the problem. The approach was associated with the ideas of a full-scale collection and analysis of information about everything that happens in the IT infrastructure (analysis of node configuration, network configuration, analysis of what is happening in the network - that is, traffic analysis - and on the node - that is, analysis of logs). From the need to collect and analyze logs, in fact, SIEM was born. For the 5th anniversary of MaxPatrol SIEM , which entered the market in 2015, we decided to tell a story of development.
In the course of one of the projects in 2013, the principles of the data processing architecture we needed began to emerge. Collection, normalization, correlation, storage. The MITER CEE (subject - action - object - state) approach was chosen as the basis for normalization , which at that time seemed very correct and interesting. But the future has shown that real events do not always fit perfectly into the Procrustean bed of the CEE academic approach.
First steps and first mistakes
There will be many incomprehensible titles in this paragraph, but we decided to tell you the whole truth, and therefore bear with it :)
Python, MongoDB. EPS. 2014 MaxPatrol X. RabbitMQ — MaxPatrol X, SIEM. Elasticsearch . , , , SIEM-. , «» FastReport. .
- . Elasticsearch « », . Elasticsearch (2.x) , . , . , Elasticsearch. « » JSON . .
,
PoC 2015 , SIEM: , «» . . , , — . . .
( , ) SIEM . , , . , :)
, : « » , , . « » Redis PoC PT Network Attack Discovery, . «», network traffic analysis (NTA), asset management (AM), vulnerability management (VM) SIEM.
( , : Redis, MongoDB, MS SQL, Elasticsearch, PostgreSQL, InfluxDB). — - . 2015 2016 , , «» — , .
2016 12 (2.0). , , , , , , — «» , , ;) — . , SIEM-.
. , , . , - , « ». . , .
. , , Positive Technologies, . , ( , , ). SIEM, . (, !).
. , , . , , (, ). SIEM, (, , ), - (, , , , , , . .). , , , . , , , — . ( ) , . , . , , , , ArcSight ( HP, Micro Focus) IBM QRadar — 300–400. , , . , : « 300 , 20, "1C", "" ».
, MaxPatrol SIEM SIEM-. , , , , , , .
« »; 2016–2017 . 13–15 : , . Python ++, , , , . , (watchdog) .
16 . . SIEM 2015 , ArcSight ( Positive Hack Days 2016 300 ), IBM QRadar , . IT- Splunk, : IT-, SIEM, , , , ( , , , , Splunk ).
2017 , , , — , . , . Endpoint Monitor (Kernel Mode driver), sysmon. DPI (Deep Packet Inspection) PT Network Attack Discovery Network Sensor . PT MultiScanner, PT Network Attack Discovery, MaxPatrol SIEM . «» (. 1).
, . , . -, , 2018 — . 18 (4.0) 19 , . , . asset management . , : , . «» , , , . - .
MaxPatrol SIEM , SIEM ( ), — SIEM , . PHDays, , . , , SIEM- — 10–20% , , ( , ). — . ( ), , , , , SIEM- . , YARA- ? 2018 MaxPatrol SIEM . 2017-: - WannaCry, ( Git , ). NotPetya Bad Rabbit, , PT Expert Security Center -. PT ESC , , , - , , 2018 .
asset management — , , , , . - , ( firewall, , , , , ).
, 2018 PT Knowledge Base . , (. 2). , key value Redis , in-memory. , SIEM , , , .
, . TI- (threat intelligence) MS SQL PostgreSQL. very large enterprise , .
2019 21 (5.0) 21.1 , . , -10 SIEM- . 21.1 OEM- , SIEM, , . asset grids.
Solar JSOC. SIEM- , , . . , , , , , . 2019 . , , . MaxPatrol SIEM 23 .
, 2020 : , Elasticsearch 7.x, , , .
MaxPatrol SIEM , . , . : IDC, MaxPatrol SIEM, ArcSight QRadar 25% ( , 30%). . : , SIEM-, , , , , . .
: , Positive Technologies
, , , .