CASE STUDY

Veramine Turns to Scylla to Leverage Big Data for Enterprise Cybersecurity

About Veramine

Veramine provides advanced capabilities for reactive intrusion response and proactive threat detection. Using endpoint telemetry to feed a central server, Veramine scours huge amounts of network data to identify attacker activity. With its advanced detection engine, advanced rule-based and machine-learning algorithms, Veramine can identify Mimikatz-style password dumping, kernel-mode exploitation (local EoP), process injection, unauthorized lateral movement, and other attacker activity.

The Challenge

For Veramine, cybersecurity analysis begins with good data. As such, the company’s goal is to collect as much data from the enterprise network as possible, including both servers and desktops. Events collected by the platform are enriched with context information from the system. For example, every network connection that’s recorded is associated with its originating process, user, time, and associated metadata. The end result is huge and ever-growing data set.

According to Jonathan Ness, CEO of Veramine, “We’re trying to collect everything you would ever want to know about what goes on on a computer and centralize that data and run algorithms on it.”

“Even if the performance were only as good as Cassandra, and in fact it’s much better, Scylla would still be a significant improvement.”

Jonathan Ness, CEO, Veramine

All that data needs to be stored somewhere. Since the data is so sensitive, very few Veramine customers permit it to be stored in the cloud. Veramine needs to provide low-latency big data capabilities in on-premises datacenters. Given the sensitive nature of the data collected, Veramine personnel were unable to directly access databases to help with support.

Veramine began using Postgres, but quickly realized that a NoSQL was more appropriate to their use case. They switched to Cassandra, but soon realized that is was not up to the task.

“The problem was every week it was crashing, so we created all this infrastructure just to keep Cassandra alive,” said Ness. Veramine went so far as to parse Cassandra logs in an attempt to predict when garbage collection would happen, and then apply throttling to avoid crashing the database. Without direct access to customer environments, Cassandra soon became a nightmare. The team set out to find a replacement.

The Solution

What was needed was a low-latency NoSQL database that provided extremely low administrative overhead and high stability. The team turned to Scylla.

Veramine saw instant results from using Scylla. “We started using Scylla two years ago,” said Ness. “We fell in love with Scylla because it doesn’t crash and we don’t have to manage it.” Since Scylla is a feature-complete, drop-in replacement for Scylla, the migration was quick and painless. “Our code didn’t change much going from Cassandra to Scylla.”

According to Ness, a big benefit of Scylla is developer productivity. Scylla lets the team focus on business logic rather than on custom code around the datastore. Veramine’s Scylla clusters that are running in production are surprisingly small compared to Cassandra.

Ness summed up Veramine’s Scylla journey: “Even if the performance were only as good as Cassandra, and in fact it’s much better, Scylla would still be a significant improvement due to its stability and lower administrative overhead.”