A major western country was establishing a national cyber monitoring service to help protect critical national infrastructure. This was a major challenge in establishing a service quickly as foreign cyber attacks had become more and more of an issue. There was lots of data available, lots of technology in existing areas of government but it was incredibly hard for them to generate insights that were useful and actionable in organizations that they supported.
The client was already an Elasticsearch user and had maintained a large cluster for storing feeds for search purposes. The Siren system was easily implemented by installing the Siren Federate plugin into the existing cluster. This allowed the client to configure a simple data model in Siren to enable cross index joins in their Elasticsearch cluster. This allowed the client to implement the Mitre Att&ck ontology and alerting feed, among others. The client is able to use Siren dataspaces to run multiple parallel, securely partitioned investigations on the same dataset at the same time.
The cyber analysts in the agency now have a single desktop in Siren to search, investigate and run graph analytics to identify key threats to critical infrastructure. Multiple data feeds are now fused together with the Siren data model. There is now a consistent investigative process in dealing with threats, how they are detected, alerted on and creation of intelligence reports.