Another new open-source project is being welcomed into the Apache Software Foundation’s stable, this time with a focus on cyber security.
Apache Metron is the ASF’s latest top-level project, billed as an application framework that allows for centralized monitoring and analysis of network traffic. Apache Metron’s roots can be traced back to Cisco Systems Inc.’s Open Security Operations Center project, which was launched in 2014.
At the time, Cisco said OpenSoc was a scalable security analytics tool based on Apache Hadoop, but it was limited to consuming and monitoring network traffic in the data center. Apache Metron goes further, as it can analyze any kind of telemetry data. Apache Metron can do this because it has been built atop of a number of fellow Apache projects, including HBase, Kafka and Storm, in order to handle streaming data in real time.
The first release of Apache Metron, version 0.1, came out in April 2016. It works by ingesting, transforming and finally normalizing telemetry data, including full network packet capture. The data it ingests can also be enriched with asset identifiers and location data. Users can specify these enrichments via user-defined functions and a scripting language. The analysis helps users to identify security threats in their network, which can be specified and triaged either through rules or through machine learning models, in order to prioritize the biggest risks.
“It is abundantly clear that cyber security challenges are becoming a bigger part of our reality,” Casey Stella, vice president of Apache Metron, said in a statement. “Solving them effectively and at scale requires an Open Source, community-oriented approach built upon proven scalable technologies. This is what Metron is about at its core.”
Apache Metron is already being used by some companies for this purpose, including the Australian telecommunications firm Telstra Corp. Ltd. There’s every chance that the ASF’s top-level project designation will lead to further adoption of Metron, though it faces some competition in the shape of proprietary software vendors like Darktrace Ltd., Protectwise Inc., NowSecure Inc. and Bit9 Inc., as well as rival project Apache Spot, which was adopted by the ASF last year.
A Reddit thread from last year explains the differences between Apache Metron and Apache Spot. Apache Metron’s main value add is that it offers machine learning capabilities that helps it to better analyze network and telemetry data. Apache Spot doesn’t do this, but instead differentiates itself with an “open-data model” that encourages enterprises to share their security analytics data for the greater good, so the software can identify new threats more quickly.
It remains to be seen which of the two will prove more successful, and it may well be that they evolve for slightly different uses. Then again, it’s not impossible that the two frameworks could be used together, or even one day combined into a single, even more comprehensive security tool.