Nybble Analytics Project

Nybble Analytics is a SIEM platform built on top of open-source stream-processing frameworks and open standards.

Stream Processing Framework

Nybble is based on Apache Flink stream-processing framework, which have a rich set of features that make it an ideal candidate to be the core of a SIEM platform.

Apache Flink provides basic SIEM features like real-time analysis, scalability and high availability but also more advanced features like savepoints (that can allow retro-analysis) or complex event processing.

Additionally, Flink works on Kappa architecture, which means that besides to be able to work in with streams, it's also possible to work with batchs and provide reporting features.

More information about Apache Flink here : https://ci.apache.org/projects/flink/flink-docs-master/

Open Standards

Nybble is developed to use and take advantage of open standards. The goal is to provide a platform that can retrieve, generate and share Cyber Threat Intelligence more quickly and easily.

Sigma

Sigma is a generic and open signature format used to create SIEM rules. Sigma format allow fast rules development and sharing for better detection.

A lot of Sigma converters are already available for the most popular SIEM like Splunk, Arcsight, Graylog...

Nybble on his side use generic rules directly, convert them automatically to JSONPath format and finally map rules field to events field for matching.

Sigma standard is discussed further here. More information about Sigma standard here : https://github.com/Neo23x0/sigma

MISP

MISP is a free and open source threat sharing platform, using MISP standard for threat intelligence sharing. MISP allow automation of threat definition and sharing and is compatible with many other standards like STIX, OpenIOC, ...

Nybble platform can be interconnected with MISP to enrich security events with Cyber Threat Intelligence previously gathered and shared by analysts.

More information about MISP here : https://www.misp-project.org/index.html

TheHive

TheHive is a free and open source Security Incident Response Platform allowing collaborative management of security incident, advanced and fast investigation and Active Response thanks to Cortex Analyzer.

TheHive is also integrated with MISP, which make TheHive able to consume Cyber Threat Intelligence from MISP and also produce Cyber Threat Intelligence that will be use by Nybble platform.

More information about TheHive here : https://thehive-project.org/

Environment deployment mode

The purpose of integration of Nybble Platform with MISP, TheHive and open standard like Sigma is to be able to constantly produce and consume Cyber Threat Intelligence.

Those standards allow to easily share IOCs found during investigations, rules created following security incident or intelligence gathered during the whole process and finally enhance the detection capabilites.

Intelligence can be shared only internaly or also externally with other companies :

Internal mode
External mode