UPDATED 14:41 EDT / JANUARY 10 2020

ibm SECURITY

IBM Research open-sources SysFlow to tackle cloud threats

IBM Corp.’s research division today announced the release of SysFlow, an open-source security toolkit for hunting breaches in cloud and container environments.

SysFlow is designed to tackle a common problem in network protection. Modern security monitoring tools capture system activity with a high degree of granularity, often down to individual events such file changes.

That’s useful to a point but also creates a large amount of noise that makes spotting threats harder. IBM researchers Frederico Araujo and Teryl Taylor described looking for breaches under such circumstances as “akin to searching for a needle in an extremely large haystack.”

SysFlow cuts down the amount of information security teams have to sift through. The toolkit works by gathering operational data from a given system and compressing this data into a model that shows the system’s high-level behaviors rather than individual events such as HTTP requests. Such localized events are also displayed, but SysFlow connects them to relevant behavioral patterns rather in order to provide the context necessary for a detailed analysis. 

In a blog post, IBM’s Araujo and Taylor outlined an example breach scenario where the toolkit can prove handy. The hypothetical breach sees a hacker find a vulnerable Node.js server in a company’s network, download a malicious script onto that server and then compromise a sensitive customer database. 

“While state-of-the-art monitoring tools would only capture streams of disconnected events, SysFlow can connect the entities of each attack step on the system,” the researchers explained. “For example, the highlighted SysFlow trace maps precisely the steps of the attack kill chain: the node.js process is hijacked, and then converses with a remote malware server on port 2345 to download and execute a malicious script.”

SysFlow can not only help security teams spot threats but potentially also conserve hardware resources in the process. According to IBM, the toolkit reduces security data collection rates by “orders of magnitude” compared to traditional tools.

SysFlow has a built-in rule engine that can be customized to automatically suspicious events. In addition to breaches, the toolkit lends itself to spotting regulatory compliance violations such as financial records being stored somewhere they’re not supposed to. When more fine-grained detection is necessary, security teams can program their own custom threat identification algorithms into SysFlow.

IBM sees the platform being used in concert with other open-source tools. “SysFlow’s open serialization format and libraries enable integrations with open source frameworks (e.g., Spark, scikit-learn) and custom analytic microservices,” Araujo and Taylor wrote.

SysFlow’s ability to translate raw system data into a high-level picture of malicious activity is something that other solutions offer as well. Several security protection providers, among them recently funded startup Cybereason Inc., provide commercial investigation tools that can trace the path an attacker took through a company’s network during a breach. But the fact that SysFlow is freely available under an open-source license and backed by IBM may allow it to take a special place in the security tooling ecosystem. 

Photo: IBM

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.