Guiness, Ripley’s and Statistics
The world loves statistics. Especially stand-out, world beating ones. This is exceptionally true when it comes to cars and computers.
World’s fastest production car? Don’t try to nail it down. Things change pretty fast in that industry. The Guinness book of World Records has validated, revalidated, and is in the process of validating yet another record. On any given day, the title shifts. To ensure apples to apples comparisons, the records body follows a strict methodology. The procedure as outlined by Guinness involves putting a GPS tracking system on one of these cars, sending it out on a pre-determined course, and then having it turn around and drive in the opposite direction within one hour. Top speeds from each run are averaged to obtain the official speed record.
What are the stats?
- Shelby Supercars (SSC) has a world record run of 257 mph in speed testing of its 1183 horsepower, twin-turbo V8 Ultimate Aero TT as tracked by a Dewetron GPS system. (author note: Nice stats!)
This breaks the previous claims of Koenigsegg CCR at 242mph and Bugatti Veyron’s unofficial speed of 253mph. Not to be content, the Ultimate Aero has been tested in a wind tunnel of speeds up to 273mph while remaining aerodynamically stable.
Every once in a while, despite the statistics, there is an underdog that has the extra sizzle factor and promise of things yet to come that wins the hearts of the true aficionado. Mine’s the Veyron.
Unfortunately, as much as I’d like to spend all my time at the Bugatti factory driving these glorious machines, my day job is in the Security Information and Event Management space (SIEM, Gartner 5/2007) . In this position, I do, however, get the need for speed and the ability to do something about it with a crack engineering staff. In between daily operations, sometimes I daydream about world records.
To recap, the making of an interesting world record would need:
- Something to shoot for–like some published industry statistics
- Methodology–some way to compare apples to apples
- Someone to compare to–anyone want to compete for pink slips?
- Sizzle–you could have the world’s best record, but make sure it’s something that a customer would care about
At the end of 2007, performance statistics across all SIEM vendors for processing events-per-second (EPS), correlated-events-per-second (CEPS), and complex/Real-World correlated-events-per-second (CCEPS) on a single machine was:
- EPS: 20,000
- CEPS: 10,000
- CCEPS: 5,000
That’s not bad for a Volkswagen (author note: Bugatti is owned by VW) But speed addicts and enterprise customers need more. To be able to process more events, one option is to split the network and security event information onto multiple machines. With today’s blended security attacks, splitting out data geographically or organizationally can lead to a false sense of security.
For instance, a hotel chain or a fast-food franchise network with several thousand networked locations could easily fall into this trap. A multi-faceted attack could individually test over time the security-in-depth at hundreds of different points and not be detected without proper correlation. Rolling all of the attacks up at a later point in time could result in a very effective, damaging, and expensive attack. Instead of seeing the pattern of testing against their network defenses, the company would never even know what hit them.
For 1,000 locations, each location spitting out a modest 1,000 events per second (EPS), they would need approximately 50 machines just to log the events at 2007 rates. Even with 50 machines, the correlation among all the devices and data sources would not be in real-time. In order to do correlated events per second (CEPS), you would theoretically need the strength, speed, and intelligence of 100 machines. Still, there is the remaining problem of how to feed all that data into the same place so it can get properly correlated. That adds a whole new level of architectural complexity to your solution. The next step would be to add multiple tiers of systems which distill the raw information to the next tier (and the next one) until you finally can guarantee all the information coming in is properly analyzed and correlated with all the rest.
This turns out to be a very high bar to jump over. You can kiss your assets goodbye trying to do that in real-time.
The traditional solution is to throw more hardware at the problem. More horsepower, more cpu’s per box, etc. Using Moore’s law as a guideline, even if you could estimate a doubling of transistors on a wafer every 18 months would lead to a doubling of performance, that hotel or hamburger chain would have to wait about 10.5 years for the processing power to catch up.
There’s some hope. As faster hardware architectures come on board, there’s a trend to multi-core and multi-cpu models. A high end Dell PowerEdge box right now comes with dual-quad core Xeons (author note: that means 8 really fast ones to non computer geeks). If you add to that various specialized processors like network accelerators, encryption accelerators, pattern matching accelerators, disk performance and storage accelerators, you can start to stomp out a few of the artificial, hardware performance barriers.
At the end of the day, there are respectable gains, but software gains still remain unexploited.
We’ve decided to fundamentally break that model. Imagine a supercar, but instead of having a single 1,100 horsepower engine, you had 8 x 400 horsepower engines that you could fully exploit with up to another 1,000 x 10 horsepower specialized engines for each wheel. How you would selectively use that power would change dramatically. With a little coordination and a little more smarts, aka “software”, our combination of off the shelf and commodity computing parts changes how SIEM software works. Every little horsie is now a capability, available for negotiated sale or rent to whichever software service is in need of it most at the time. Believe me, security event management for large enterprises can gobble a lot of it and still be hungry.
Initial results with our new, shiny service-oriented software architecture (SOA) combined with our lateral-thinking hardware configuration have yielded extremely interesting results. Not only can we configure and add in capabilities into our SIEM on the fly, the performance has leaped off the curve. Our first pass shows 3-5 times the industry average performance on one machine. One special controlled test using real devices and data showed a 1,600 times speedup–that part of our software is definitely not going to be a bottleneck.
Instead of dreaming about the French countryside, rolling hills, open highways, and the roar of a supercar, we’ve been dreaming about how far we can push this new service oriented software architecture. Numbers of 1 million correlated events per second (CEPS) have been whispered around the hallways.
1 million correlated events per second would allow either of the aforementioned customers to fully correlate in real-time, very large numbers of events per second from any of their networked devices. For the first time, they would have a SIEM that could fully scale to the needs of their business –completely, defensively in depth, and end to end.
So gazing down the road for 2008, foot hovering over the accelerator, we have:
- A shot at 1M CEPS
- A way to benchmark how many things are thrown at our box
- Published performance numbers for the SIEM industry
- and, Any number of customers who have had to accept incomplete, real-time correlation across their whole enterprise
That sounds like a world record in the making to me.
Greg
