Blog

Gravwell 3.3.0 - Overwatch Release

Nov 22, 2019 12:56:34 PM / by Kris Watts

We are excited to announce the immediate availability of Gravwell version 3.3.0. This release being a Minor release features a few fairly significant features and a whole heap of bug fixes and performance improvements. Over the next couple of days we will be doing a series of blog posts for this release detailing each of the new things in Gravwell, but first we need need to show off the centerpiece of this release, Overwatch.

What Exactly IS Gravwell Overwatch?

Gravwell Overwatch is a unique feature that allows Gravwell webservers to operate in their own domain when querying and controlling Gravwell indexers. The net effect is that an Overwatch webserver (or cluster of webservers) maintains its own user sets, access controls, resources, and queries. This means that users operating in an Overwatch webserver do not see or influence users operating in non-Overwatch webservers, or Overwatch webservers in other domains; this includes admin users.

Gravwell Overwatch Target Use Cases

Managed Security Service Providers (MSSPs) are often central to securing and monitoring many small to medium sized organizations. Talented security personal are expensive, difficult to train, and they tend to specialize. MSSPs are a method to outsource some of that work where it isn't practical to maintain an internal security team. One of the core tools used by any good MSSP is a good analytics platform (Hey, that's us!). However, MSSPs have many customers which means they often have to maintain multiple analytics platforms.

Multi-tenancy can help, but we often find that customers either can't or won't co-reside their data. So now we have a problem, if you are an MSSP you now have to monitor and manage many instances independently. Large organizations that DO have internal security teams also run into this problem. The security team doesn't want to share, the DevOps team CANNOT have data access restrictions when there is an outage, and Bob From Accounting can't be trusted with admin access (but he always seems to have it...).

Wouldn't it be nice if you could run many completely separate instances of your analytics platform, provide unrestricted access to customers, and query all of them from one central point? Now what if you could do this without handing over your super secret MSSP/security/devop/sales techniques, tactics, and procedures (TTPs)?
This is where Gravwell Overwatch comes in.

Give Me an Example, and Spice it Up!

Let's look at an example deployment in an organization with some unique constraints. For this example we have two wholly independent Gravwell clusters that serve two separate entities. These entities may be your customers if you are an MSSP, or they may be different business units in a large enterprise. Both clusters have their own indexers, ingesters, data feeds, and webservers.

 

Two Clusters

 

In this example the two systems A and B are entirely separate in a single organization, this may be due to legal requirements, internal policies, geographic location, or just internal politics (we have seen all three). Each cluster operates independently, ingesting all the things and querying to boot. Entity A has built out it's own TTPs, SOAR scripts, scheduled queries, macros, libraries, and groups. The day-to-day has been solidified and locked down. Entity B is always changing it up with constant churn and an admin that demands the highest priority, when admin B sees queries he doesn't like or users making big resources, he straight cancels them. Entity B is tyrannical chaos. Then the security team shows up... and they need access to both clusters with both data sets.

Entity A is a fine tuned machine with well built procedures, admin A knows what his data flows look like and he knows what his analysts should be doing on a day-to-day basis. Another team showing up and rummaging around in his system is just uncouth. The admin for Entity B just hates the very idea of a security team and if they think they can show up and put resources in HIS cluster and look at HIS data, they have another thing coming.

This is where we stop and reflect on our careers, just take a moment. You have two people in your head right now, don't you. I am willing to bet any seasoned professional has encountered both extremes, and everything in between. How many times have you had to fight to get access to resources that were already there, or had to duplicate operations for no good reason? Deep breath, moment of zen... Back to the security team.

With Gravwell Overwatch the security team can deploy a new webserver that can attach to both clusters and operate as if it is a single independent cluster.

 

Two Cluster Overwatch

 

Using the Overwatch system the security team gets to essentially bolt onto the other two clusters and establish yet a third super set cluster. This new Overwatch cluster uses the existing indexers, data, and ingesters. Data does not need to be replicated or copied, the security team can leverage the data that is already present.

But wait, there is more! The security teams Overwatch webserver does not interact with the other webservers. That means that scheduled queries, persistent searches, resources, or accounts on either Entity A or Entity B are entirely independent. The smooth running operation in A will hum along, none the wiser. The chaos in B can continue its reign of terror and the admin of cluster B will not see the queries, history, or resources of the security team, nor can he monitor and/or disrupt them (and vice versa). Overwatch can scale up too, a sufficiently sized Gravwell webserver can manage hundreds of indexers which will allow the security team to bring online their own set of indexers as well as fold in additional deployments across an organization.

Wrapping it up

Gravwell Overwatch is designed with two customer sets in mind. The large organization with needs to satisfy internal needs as well as professional security providers that need to be able to efficiently host and manage large numbers of customers that may still want unrestricted access to their own data.

If you would like to try Gravwell checkout our free community edition:

Get Community Edition

If you would like more information about what Gravwell can do for you or to discuss options deploying Gravwell as an MSSP, click the button and book a demo!

Book A Demo

 

Topics: Software Updates, DevOps Analytics

Kris Watts

Written by Kris Watts

Founder and CTO