Physical, Logical and Data Flow
BluSapphire supports both Hosted (SaaS), Onsite and Appliance based deployment models.
A high-level SaaS deployment architecture is shown below:
Onsite deployments will look like the architecture described above. Except that the hosted components will be onsite at the customer datacenter. A brief description of the components involved is as below:
Sensor: Sensor is a gateway appliance (physical or virtual) that receives a SPAN/Mirror copy of all the traffic moving in and out of the firewall. Most Static Analysis and DPI happen at the sensor. The Sensor is also responsible for describing the traffic model(s) and sending over the metadata to the master for further analysis.
Log Collector: Log Collector is the local aggregator of all logs and flows on each site, filtering and compressing the data before transmitting them over to the Open Data Platform (ODP) for further analysis and storage.
Responder: Is responsible for all response and remediation action(s) on the client site. This is typically a windows VM that is part of the customer domain. Responder communicates with Master and executes the required actions on the local network(s). Responder is key for agentless Response, Remediation and Threat Hunt activity.
Gateway Collector: Gateway Collector is the cloud “collector” of data/logs and is responsible for orchestration, enrichment and normalization of data, and push it to Open Data Platform (ODP).
Master: Master is the central controller of all activity. It is responsible for all coordination between ODP, Sensors and Responders. It also typically hosts the web interfaces responsible for management interfaces for BluSapphire and manages all REST API Access too. Horizontally scalable. Master is also responsible for collecting all Threat Intelligence (TI) and pushing it to the required components like ODP.
Behavior Analysis Platform (BAP): Is responsible for Behavior Analysis of files, scripts etc., It is also typically responsible for Dynamic Behavior Analysis. Horizontally Scalable.
Open Data Platform (ODP): ODP is the Big Data Platform that stores and analyses the multiple data points collected by all BluSapphire components. It can horizontally scale to petabytes of data. ODP also hosts the Machine Learning, Predictive Analytics and Algorithmic analysis components of BluSapphire. ODP also consumes and process all Threat Intelligence data from BluSapphire Update Server and/or from other TI sources.
BluSapphire Logical Architecture can be described in Figure 5.
Fig 5: BluSapphire Logical Architecture
Each of the BluSapphire Components can be scaled horizontally and operated in High-Availability mode. Eg: Sensor, Log Collector and Responders can be used in HA mode by using two of each system as a HA pair. ODP offers n+1 failure resiliency by design. Behavior Analysis Platform (BAP) is also available in HA along with Message Queues.
Please reach out to the team for planning a resilient architecture (HA) as customer networks, infrastructure and HA requirements vary. Our team will be able to work with you and define a resilient architecture that suits your needs.
BluSapphire Data Flow Architecture can be described in Figure 6.
Fig 6: BluSapphire Data Flow Architecture
BluSapphire relies on a proven Big Data and Machine Learning architectures for running its ML algos and Analytics, including scalable data storage. BluSapphire stores the raw data, normalized data along with various enrichments in models.
BluSapphire also maps all activities against MITRE ATT&CK Matrix. This helps define threat actions, threat actors and enables faster resolution.