IBM Corp.’s research division today announced the release of SysFlow, an open-source security toolkit for hunting breaches in cloud and container environments.

SysFlow is designed to tackle a common problem in network protection. Modern security monitoring tools capture system activity with a high degree of granularity, often down to individual events such file changes.

That’s useful to a point but also creates a large amount of noise that makes spotting threats harder. IBM researchers Frederico Araujo and Teryl Taylor described looking for breaches under such circumstances as “akin to searching for a needle in an extremely large haystack.”

SysFlow cuts down the amount of information security teams have to sift through. The toolkit works by gathering operational data from a given system and compressing this data into a model that shows the system’s high-level behaviors rather than individual events such as HTTP requests. Such localized events are also displayed, but SysFlow connects them to relevant behavioral patterns rather in order to provide the context necessary for a detailed analysis. 

In a blog post, IBM’s Araujo and Taylor outlined an example breach scenario where the toolkit can prove handy. The hypothetical breach sees a hacker find a vulnerable Node.js server in a company’s network, download a malicious script onto that server and then compromise a sensitive customer database. 

“While state-of-the-art monitoring tools would only capture streams of disconnected events, SysFlow can connect the entities of each attack step on the system,” the researchers explained. “For example, the highlighted SysFlow trace maps precisely the steps of the attack kill chain: the node.js process is hijacked, and then converses with a remote malware server on port 2345 to download and execute a malicious script.”

SysFlow can not only help security teams spot threats but potentially also conserve hardware resources in the process. According to IBM, the toolkit reduces security data collection rates by “orders of magnitude” compared to traditional tools.

SysFlow has a built-in rule engine that can be customized to automatically suspicious events. In addition to breaches, the toolkit lends itself to spotting regulatory compliance violations such as financial records being stored somewhere they’re not supposed to. When more fine-grained detection is necessary, security teams can program their own custom threat identification algorithms into SysFlow.

IBM sees the platform being used in concert with other open-source tools. “SysFlow’s open serialization format and libraries enable integrations with open source frameworks (e.g., Spark, scikit-learn) and custom analytic microservices,” Araujo and Taylor wrote.

SysFlow’s ability to translate raw system data into a high-level picture of malicious activity is something that other solutions offer as well. Several security protection providers, among them recently funded startup Cybereason Inc., provide commercial investigation tools that can trace the path an attacker took through a company’s network during a breach. But the fact that SysFlow is freely available under an open-source license and backed by IBM may allow it to take a special place in the security tooling ecosystem. 

Photo: IBM