1. Stellar Cyber: Run an AI-based open threat detection and response platform on Oracle Cloud
  2. Stellar Cyber: Run an AI-Based Open Threat Detection and Response Platform on Oracle Cloud

Stellar Cyber: Run an AI-Based Open Threat Detection and Response Platform on Oracle Cloud

To help companies defend their digital operations holistically and to prevent data security breaches, Stellar Cyber's AI-based open threat detection and response platform (Open XDR) seamlessly integrates all of their security tools, providing immediate threat detection, incident correlation, and automated threat hunting and response capabilities to security analysts worldwide.

Stellar Cyber helps security operations teams immediately detect, investigate, and respond to cyberattacks, reducing the impact and risk to their businesses by using the following:
  • Sensors for network traffic
  • Operating system telemetry
  • Log collection
  • API data collection at the edge
  • A secure channel for orchestrating responses to local security tools, such as firewalls, endpoint detection and response (EDR) and identity platforms

Founded in 2015, Stellar Cyber runs its cloud-native security platform on Oracle Cloud Infrastructure (OCI). Stellar Cyber automates log processing and forwarding and provides deep packet inspection (DPI) and network traffic analysis (NTA) for 3500+ network applications. The deployment includes a sandbox for zero-day malware detection, data buffering and more.

Initially developed as an on-premises application, Stellar Cyber's deployment was refactored as a software-as-a-service (SaaS) platform and moved to OCI.

Highlights of Stellar Cyber's deployment include:

  • ElasticSearch (OpenSearch) engine manages indexes and shards in a data lake

  • Oracle Cloud Infrastructure Block Volumes provides quick retrieval of data to be analyzed for 30-90 days

  • Oracle Cloud Infrastructure Object Storage provides a data repository for longer-term, cold storage for one or more years

  • Oracle Cloud Infrastructure DevOps provides tools for building continuous integration/continuous development (CI/CD) pipelines

  • Oracle Cloud Infrastructure Registry stores, shares, and manages Docker images

  • Oracle Cloud Infrastructure Email Delivery sends alerts and notifications to Stellar Cyber's customers

Architecture

Stellar Cyber uses a combination of it's own security sensors, log collection engines, and API connectors to collect security-related data across a customer's entire enterprise.

The sensor data and logs are sent through the Oracle Cloud Infrastructure Web Application Firewall (WAF) that protects the Stellar Cyber Oracle Cloud Infrastructure (OCI) tenancy from unwanted or malicious network traffic. Stellar Cyber's architecture uses open source components built with containers running on four node pools in an Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) cluster. A node pool containing Apache Kafka and Apache Flink is deployed for stream services, where ingested data is processed by Kafka and passed to Flink for normalization and enrichment. Data streams are load balanced using Oracle Cloud Infrastructure Load Balancing.

The following diagram illustrates the simplified data flow through the topology.


Description of stellar-cyber-oci-data-flow.png follows
Description of the illustration stellar-cyber-oci-data-flow.png

stellar-cyber-oci-data-flow-oracle.zip

Elastic Stack is deployed in two separate OKE node pools: one for Elasticsearch (master) and one for the Elasticsearch data lake (data). The normalized and enriched data from Flink is passed to Elasticsearch for retrieval and analysis. The raw data is stored in the Elasticsearch data lake.

A node pool for microservices provides containers for correlation, machine learning, and services (API and UI) for users to examine, analyze, and visualize their data.

The machine learning container interacts with Elasticsearch and provides data to the services container to be presented to the user. Machine learning algorithms classify threats by analyzing time series and peer groups with unsupervised learning and behavior analysis, and by generalizing known attack patterns with supervised learning. A Graph ML-based correlation engine is used to identify high-level incidents from alerts. For customers who require email alerts, Oracle Cloud Infrastructure Email Delivery generates notifications. Oracle Cloud Infrastructure Domain Name Service (DNS) manages Stellar Cyber DNS zones.

Oracle Cloud Infrastructure Block Volumes manages hot storage where data is stored between 30 and 90 days, on average. For longer-term, cold storage, Oracle Cloud Infrastructure Object Storage is used to retain data for one or more years. Hot storage can range from 1 TB to 300 TB. A hierarchical multitenancy allows the platform to support multiple customers at the same time, and even allows a customer to be a Managed Service Provider (MSP) with their own tenants. Additional storage buckets can be created to separate collected data streams.

Stellar Cyber takes advantage of OCI's CI/CD tools (code repository and container registry) along with OCI DevOps to scale and monitor the OKE cluster. A bastion host is used as a jump server to administer the system.

Stellar Cyber plans to take advantage of additional PaaS offerings from OCI such as:
  • Oracle Functions to provide a serverless architecture
  • Oracle Cloud Infrastructure Streaming and Oracle Stream Analytics to replace Kafka as the streaming data handler
  • Oracle API Gateway to replace their own API services for customer access
  • Oracle Autonomous Data Warehouse for its data lake
  • Oracle Cloud Infrastructure Service Mesh for encrypted and mutually authenticated microservice-to-microservice communication

By using PaaS offerings, Stellar Cyber will reduce the effort required to operate and maintain these services.

The following diagram illustrates this reference architecture.


Description of stellar-cyber-oci-architecture.png follows
Description of the illustration stellar-cyber-oci-architecture.png

stellar-cyber-oci-architecture-oracle.zip

The architecture has the following components:

  • Tenancy

    A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Compartment

    Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  • Availability domain

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Route table

    Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • Network address translation (NAT) gateway

    A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Web Application Firewall (WAF) is a payment card industry (PCI) compliant, regional-based and edge enforcement service that is attached to an enforcement point, such as a load balancer or a web application domain name. WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.

  • DNS

    Oracle Cloud Infrastructure Domain Name System (DNS) service is a highly scalable, global anycast domain name system (DNS) network that offers enhanced DNS performance, resiliency, and scalability, so that end users connect to customers’ application as quickly as possible, from wherever they are.

  • Load balancer

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

  • Compute

    The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.

  • Container Engine for Kubernetes

    Oracle Cloud Infrastructure Container Engine for Kubernetes is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Container Engine for Kubernetes provisions them on Oracle Cloud Infrastructure in an existing tenancy. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.

  • Block volume

    With block storage volumes, you can create, attach, connect, and move storage volumes, and change volume performance to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without losing data.

  • File storage

    The Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in a VCN. You can also access a file system from outside the VCN by using Oracle Cloud Infrastructure FastConnect and IPSec VPN.

  • Vault

    Oracle Cloud Infrastructure Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. You can use the Vault service to create and manage vaults, keys, and secrets.

  • Notifications

    The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on Oracle Cloud Infrastructure.

  • Audit

    The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events. Currently, all services support logging by Oracle Cloud Infrastructure Audit.

  • Policy

    An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.

Get Featured in Built and Deployed

Want to show off what you built on Oracle Cloud Infrastructure? Care to share your lessons learned, best practices, and reference architectures with our global community of cloud architects? Let us help you get started.

  1. Download the template (PPTX)

    Illustrate your own reference architecture by dragging and dropping the icons into the sample wireframe.

  2. Watch the architecture tutorial

    Get step by step instructions on how to create a reference architecture.

  3. Submit your diagram

    Send us an email with your diagram. Our cloud architects will review your diagram and contact you to discuss your architecture.

Explore More

Learn more about the features of this architecture.

Acknowledgements

  • Authors: Robert Huie, Sasha Banks-Louie
  • Contributors: Ganesh Pitchaiah, Robert Lies