Architecture

Sqrrl Enterprise is an advanced Threat Hunting Platform that enables security analysts to uncover malicious behavior within enterprise networks. Sqrrl Enterprise unifies multiple Big Data technologies into a single platform, including Hadoop, linked data analysis, machine learning, and data visualizations to facilitate advanced threat detection.

Architecture Overview

Physical: Sqrrl can be deployed on both bare metal, virtualized, or cloud-based servers.

Data Storage: At Sqrrl’s core is Apache Accumulo, a distributed database that runs on top of Apache Hadoop.  With this Big Data foundation, Sqrrl is proven to maintain optimal, real time query performance at multi-petabyte scale and has no need to archive data. All data is kept “hot”, which means that Sqrrl can ingest and quickly analyze data going back years to reconstruct “low and slow” attacks.

Data Tiers: Through a process called dynamic knowledge extraction, raw log files are ingested into Sqrrl (typically from a SIEM, but also from other sources) and transformed into a Behavior Graph. This Behavior Graph powers an interactive investigation environment (via link analysis) ideal for pivoting across data points during a hunt. Provenance is maintained between the Behavior Graph and the raw logs, allowing an analyst to easily switch between those two views.

Processing: Sqrrl utilizes various indexing techniques (graph, SQL-like, full-text) to maintain near real time search at the multi-petabyte scale. Sqrrl also uses Apache Spark to power machine learning and graph analytics designed to identify kill chain behaviors.

Interface: Users are able to conduct hunts through the Sqrrl’s web-based user interface, or can query the data through Sqrrl’s shell and Java and Python-based APIs.

Security: Sqrrl Enterprise applies powerful security controls to all data ingested, including fine-grained access controls (Role-Based Access Controls down to the field-level of individual log files), encryption-at-rest, encryption-in-motion, and audit.

Sqrrl Enterprise consists of the following layers from a stack layout perspective:

Interested in learning more about Sqrrl’s architecture? Request access to the Sqrrl Product Paper.