WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.
Appliance Deployment Instructions
- VMWare ESX
- Virtualbox
- Amazon Web Services
- Google Cloud
- Azure
- Oracle Cloud
- Rackspace or other Cloud Hosting
- Ubuntu 18.04 LTS (Virtual or Physical)
For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/
Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)
The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/
Installation Walk-through
Appliance Nodes
WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
- All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
- Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
- Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
- Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
| Node | CPU | RAM | Disk | OVA Download | AWS min/optimal |
|---|---|---|---|---|---|
| All-in-One | 8 | 16GB | 1.2TB, 280GB, 180GB | 1TB, 200GB, 100GB | c5.2xlarge / c5.18xlarge |
| IE Node | 4 | 8GB | 130GB | OVA | c5.xlarge / c5.4xlarge |
| Streamer Node | 4 | 8GB | 130GB | OVA | c5.xlarge / c5.4xlarge |
| Data Node | 4 | 12GB | 1.2TB, 280GB, 180GB | 1TB, 200GB, 100GB | c5.xlarge / c5.4xlarge |
Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:
- One (1) IE Node
- One (1) Streamer Nodes
- Three (3) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.
To request a trial license, complete this form.
| Image | Open Ports |
|---|---|
| All-in-One | SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| IE Node | SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp) |
| Streamer Node | SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| Data Node | SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp) |
Precinct Architecture
Security Products Currently Supported
| Vendor | Product | Critical Security Controls |
|---|---|---|
| BRO IDS | BRO IDS | |
| Carbon Black | Carbon Black Protect/Defend | 1, 2, 5, 8 |
| Centrify | Centrify | 4 |
| Checkpoint | Checkpoint FW | 9, 12 |
| Cisco | Stealthwatch | 12, 13 |
| Cisco | Advanced Malware Protection (AMP) | 1, 8 |
| Cisco | Firepower | 7, 12 |
| Cisco | ASA Firewall | 9, 12 |
| Cisco | Meraki | 15 |
| Cisco | Cisco Ironport | 7 |
| Cisco | Umbrella | 7 |
| Cisco | Cisco Threat Response | 8 |
| Cisco | Cisco Wireless | 15 |
| Crowdstrike | Falcon | 1, 2, 5, 8 |
| Cybereason | Cybereason | 1, 8 |
| Cylance | Cylance Protect | 1, 5, 8 |
| F5 | ASM | 12 |
| FireEye | FireEye EMS | 1, 5, 8 |
| Fortinet | Fortigate | 7, 9, 12 |
| IBM | QRadar | 1, 6, 16 |
| Imperva | SecureSphere | 13 |
| InfoBlox | InfoBlox | 1, 7 |
| Juniper | Juniper FW | 7, 9, 12 |
| Malwarebytes | Malwarebytes Anti-Malware | 1, 8 |
| McAfee | McAfee Web Gateway | 7 |
| McAfee | McAfee ePolicy Orchestrator | 1, 8 |
| Microsoft | Windows Logs | 4, 14 |
| Microsoft | Windows Active Directory | 4, 5, 14 |
| Microsoft | Advanced Threat Analytics | 13, 16 |
| Mist | Mist Wireless | 15 |
| Nokia | NetGuard | 12 |
| OSSEC | OSSEC | 1, 8 |
| Palo Alto | PAN NGFW | 7, 9, 12 |
| ProofPoint | ProofPoint Protect | 7 |
| Qualys | Qualys VA | 1, 2, 3, 5, 11 |
| Radware | Radware Appwall | 12 |
| Solarwinds | N-Central | 8 |
| Sophos | Sophos Central | 1, 5, 8 |
| Suricata | Suricata IDS | 12 |
| Symantec | Symantec Endpoint Protection | 1, 8 |
| Symantec | Symantec Data Loss Prevention | 13 |
| Taxii | STIX/Taxii | |
| Threatmetrix | Threatmetrix | |
| Thycotic | Secret Server | 4 |
| Tippingpoint | Tippingpoint IPS | 9, 12 |
| TrapX | TrapX | |
| Trend Micro | Trend Deep Security | 1, 8 |
| Varonis | DatAdvantage | 12 |
| Vectra Networks | Cognito | 8 |
| Wazuh | Wazuh | 1, 8 |
| Websense | Websense | 7 |
| WitFoo | Precinct | 6, 16 |
| zScaler | zScaler NSS | 7 |
