The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system. The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. Goals High level
Provide a platform for use by defenders to rapidly discover and respond to security incidents.
Automate interfaces to other systems like firewalls, cloud protections and anything that has an API
Integrates with a variety of log shippers including logstash, beaver, nxlog, syslog-ng and any shipper that can send JSON to either rabbit-mq or an HTTP(s) endpoint.
Provides easy integration to Cloud-based data sources such as cloudtrail or guard duty
Provides easy python plugins to manipulate your data in transit
Provides extensive plug-in opportunities to customize your event enrichment stream, your alert workflow, etc
Provides realtime access to teams of incident responders to allow each other to see their work simultaneously
MozDef is based on open source technologies including:
Nginx (http(s)-based log input)
RabbitMQ (message queue and amqp(s)-based log input)
uWSGI (supervisory control of python-based workers)
bottle.py (simple python interface for web request handling)
elasticsearch (scalable indexing and searching of JSON documents)
Meteor (responsive framework for Node.js enabling real-time data sharing)
MongoDB (scalable data store, tightly integrated to Meteor)
VERIS from verizon (open source taxonomy of security incident categorizations)
Firefox (a snappy little web browser)
Frontend processing for MozDef consists of receiving an event/log (in json) over HTTP(S), AMQP(S), or SQS doing data transformation including normalization, adding metadata, etc. and pushing the data to elasticsearch.
Internally MozDef uses RabbitMQ to queue events that are still to be processed. The diagram below shows the interactions between the python scripts (controlled by uWSGI), the RabbitMQ exchanges and elasticsearch indices.
Status: MozDef is in production at Mozilla where we are using it to process over 300 million events per day.