Mentat is a distributed modular SIEM (Security Information and Event Management System) designed to monitor networks of all sizes. Its architecture enables reception, storage, analysis, processing and response to a great volume of security incidents originating from various sources, such as honeypots, network probes, log analysers, third party detection services, etc. The Mentat system has been developed as an open-source project.
Most network operators take care of their network and perform some kind of network monitoring. In order to keep their network under control and secure, they usually apply a combination of various passive and proactive methods (IDS, IPS, honeypots, probes). The biggest of them have a CSIRT/CERT or some other type of a security team to watch over the network and deal with any issues arising.
CESNET is in the same position. CESNET operates a large high-speed network, called CESNET2, with a rich international connectivity and approximately 400 000 users. The CESNET2 network is carefully and systematically monitored by means of various tools, technologies and services. These generate a great deal of warnings – network anomalies, security events and incidents etc. Besides that, we receive the alerts about the problems in our network from third party services such as ShadowServer. On top of that, we have a CSIRT team the members of which use the OTRS ticket tracking system to handle any incidents. To look for relevant information in multiple places manually is rather time consuming. Thus, our biggest motivation to develop the Mentat system was to consolidate event sources, event persistent storage and event processing.
Thus, the Mentat system is a platform enabling to unify the collation and subsequent processing and managing of various detected security events coming from a wide range of different detection systems. Prior to developing our own custom solution we tested the existing open source SIEM systems (e.g. Prelude SIEM). However we ended up implementing our own solution that reflects our needs the best.
Mentat is designed as a distributed modular system with the emphasis on security, extendability and scalability. The core of the system is implemented similarly to the Postfix MTA. It consists of many simple modules/daemons, each of is responsible for performing a particular ‘simple’ task. This approach enables smooth parallelization and extendability. All modules use the same core service framework, which makes implementing new modules an easy task. Currently, most of the system is implemented in Python. However, some parts including the web interface are still implemented in Perl, which was the implementation language of previous version of the system. They are being rewritten into Python.
Mentat uses a document oriented NoSQL database MongoDB as persistent data storage. The system uses the IDEA data model, which is based on JSON. It was specifically designed to describe and contain a wide range of different security events and with further extendability in mind.
Currently, the working prototype of the Mentat system is being operated successfully. It accepts events from many internal and external sources. The system processes approximately 1.5 million events per day. The crucial and most apparent component of the entire system is an automatic reporter module which distributes information about security incidents directly to the responsible administrators within the CESNET2 network (AS2852).