Click Modules. Security intelligence harnessed.
The Click Stream Processing Engine is fine-tuned to ingest and process network telemetry data at ultra-high data rates. But it's the Click Modules that take raw data feeds, convert them to higher and higher levels of information, process that information against analytics, and present incident investigation or broad research findings in an interactive, visually digestible fashion.
Think of these modules as the basic building blocks of security analysis. They can range from simple utility functions, like "retrieve geo-location information for a suspicious endpoint", to an entire suite of inter-connected algorithms that act as a virtual security appliance. They are limited only by the telemetry data you provide them and the creativtiy of analytic design.
An array of new Click Modules have been developed by Click Labs security researchers and are automatically made available without requiring a system software update. However, with a working familiarity of Python, you can write your own Clicks to capture a rule or test a breach hypothesis. Each module developed by Click — or anyone for that matter — can be re-used, similar to LEGO® bricks, without requiring you to encode each new security analytics entirely from scratch.
Click Modules. Analytic building blocks.
Click Modules are programming objects that receive data from predecessor modules, process that data against a security analytic, and perform an output action ranging from 'write results to a downstream click module' to 'invoke a specific human or machine action'. Modules are organized into layers, best represented by the following diagram:
Miner Modules gather network and security telemetry directly from source devices like firewalls, web proxy servers, intrusion prevention systems, active directory servers and more. Essentially any device that provides telemetry – whether a syslog feed, event stream, flow, etc. can be mined. Miners perform basic data organization, enabling analysts to tap raw telemetry data in a useful manner, or for Interpreter Modules to further prepare data for higher orders of analytic processing.
Interpreter Modules receive data from Miner Modules and use Click Labs’ deep application and security domain knowledge to extract maximum value from root telemetry data. Interpreter modules salvage and harness every morsel of useful data, including detailed event state information – which is vital to upstream data contextualization.
As with the Miner Layer, information formed by Interpreter Modules can be exposed for Click Labs or third party analytic module development – without any further processing.
Not all telemetry sources require a Miner Module and an Interpreter Module for additional up-stack processing, but a high percentage benefit greatly from the tandem.
The Analyzer Layer is where the majority of analytics processing occurs. Taking full advantage of the data preparation work performed by Miners and Interpreters, the Analyzer Layer adds enormous intelligence by automatically contextualizing all flow, authentication, access and security event telemetry presented by Interpreters and Miners to actual network entities – referred to as “actors”.
All contextualized data resides in what is known as the Entity Core – which lives within the Analyzer Layer, and can be combined with base augmentation and action modules to drive the many Anomaly Modules that ultimately provide automated, high-value insight into network activity for the security analyst.
In addition to the Entity Core, the Analyzer Layer also houses a number of base Visualization, base Augmentation and Base Action Modules.
Visualization Modules enable an analyst to represent Entity Core data in a variety of informational views including tables, portlets, and parallel coordinates.
Augmentation Modules collect and present additional internal and external data useful to the investigative analysis. Examples of Augmentation Modules include Geo-location, Whois, DNS and LDAP.
Action modules are invoked when an analysis module indicates an external notification or other action is required. Examples include email alerting, SMS messaging, automated helpdesk ticket creation / dispatch, and firewall/IPS reconfiguration.
BUILD YOUR OWN OR USE THE CLICK MODULES PROVIDED BY CLICK LABS.
Click Modules are ‘atomic’ in nature. That means you can chain together modules within or across platform layers to create your own analytics comprised of the data mining, analysis, workbook interaction and action/response needs of your particular security posture or policy construct.