By Gene Stevens Co-Founder and CTO, ProtectWise October 30, 2018
ProtectWise is on a mission to fundamentally change human experience in security. We believe there needs to be a new approach to how the enterprise acquires, manages, and operates security.
We launched our cloud-powered Network Detection and Response (NDR) platform, The ProtectWise GridTM, in 2015 to shift core network security functionality away from traditional fragmented hardware appliances to a fully on-demand model delivered entirely from the cloud.
How it Works
The ProtectWise Grid is deployed by placing free software sensors on any network segment where our customers need visibility, detection, and response capabilities, including enterprise, cloud, or industrial environments.
These sensors operate passively on the network, receiving an exact copy of all the network communications and transactions, which we compress, optimize, and stream to the cloud.
Once in the cloud, we run it through a suite of threat detection capabilities ranging from deterministic approaches, using things such as signatures and heuristics, to the probabilistic, where we profile behavior and look for anomalies. What’s more, we wanted to store a copy of this data for an unlimited amount of time.
Network data is truly massive. It can contain lots of features to be extracted, such as IPs, ports, email, web traffic, files, URLs, domains, hashes, certificates, DNS queries, SMB transfers, geographic information, and on and on.
At scale, this means we are ingesting trillions of data points per day, all of which are candidates for threat detection. Being “NDR” means that it’s not enough to simply detect attacks, we need to be able to integrate with the existing architecture, respond automatically, support rich investigation, and offer up that entire haystack for open ended searching and querying.
Given that the median time for breach detection in most organizations is greater than six months, we offer a standard retention window that is a year of storage.
How it’s Doing
After three years of commercial availability, ProtectWise has amassed one of the largest security data sets ever created. Today, The ProtectWise Grid ingests over half a trillion data points per hour and performs 10s of millions of transactions per second.
With this kind of volume and velocity, our technology infrastructure must be purpose-built to store and manage time series data without impacting performance and availability. DataStax, and specifically its distributed database DataStax Enterprise (DSE), are a critical component to making this possible.
In the early stages of our development, the ProtectWise team discovered DSE through the DataStax Startup Program. At the time, we knew database performance would be key as we kept up with epic write speeds, and we also knew legacy relational or Hadoop-based database technologies weren’t built to support the level of performance we needed. As a fast, highly scalable distributed database delivering Apache Cassandra, DSE allowed us to manage this tremendous volume of data at scale.
ProtectWise also needed to solve for enabling search at scale. DSE integrates with Apache Solr™, which let us fuse Cassandra and Solr together in a way that supported our demands for superior system performance and linear scalability.
Ultimately, DSE enabled us to store, index, and search all of our customers’ data in real time, and it plays a key role in our ability to query all of that data going back a year or more: we built some very interesting technology which allows us to search against even petabytes of data in seconds and to do so cost effectively, and DSE plays an important role in that.
The DSE Solution
DSE has allowed us to solve a hard problem very quickly and continues to serve as the database backbone of our cloud-delivered NDR platform. As more organizations evolve their security strategies with NDR, our work together becomes even more important.
NDR is designed to dramatically accelerate threat detection, integrated incident response, with open querying. In complement, DataStax gives us the ability to search through billions of network communications very quickly and derive answers from these data points in mere seconds. Our integrations with other security products including Endpoint Detection and Response (EDR) solutions allow us to solve another hard problem: enabling complete visibility, detection, forensics and response from the endpoint to the network.
Together, we are creating the future of security—one that is simpler, faster, more effective, and more affordable.