Mentat is a distributed modular SIEM (Security Information and Event Management System) designed to monitor networks of all sizes. Its architecture enables reception, storage, analysis, processing and response to a great volume of security incidents originating from various sources, such as honeypots, network probes, log analysers, third party detection services, etc. The Mentat system has been developed as an open-source project.
This is the official website for the Mentat system as an open project. If you are looking for information about the Mentat system as a service operated by CESNET, a.l.e. please go to the website of Mentat system managed by CESNET-CERTS security team.
Most network operators take care of their network and perform some kind of network monitoring. In order to keep their network under control and secure, they usually apply a combination of various passive and proactive methods (IDS, IPS, honeypots, probes). The biggest of them have a CSIRT/CERT or some other type of a security team to watch over the network and deal with any issues arising.
CESNET is in the same position. CESNET operates a large high-speed network, called CESNET2, with a rich international connectivity and approximately 400 000 users. The CESNET2 network is carefully and systematically monitored by means of various tools, technologies and services. These generate a great deal of warnings – network anomalies, security events and incidents etc. Besides that, we receive the alerts about the problems in our network from third party services such as ShadowServer. On top of that, we have a CSIRT team the members of which use the OTRS ticket tracking system to handle any incidents. To look for relevant information in multiple places manually is rather time consuming. Thus, our biggest motivation to develop the Mentat system was to consolidate event sources, event persistent storage and event processing.
Thus, the Mentat system is a platform enabling to unify the collation and subsequent processing and managing of various detected security events coming from a wide range of different detection systems. Prior to developing our own custom solution we tested the existing open source SIEM systems (e.g. Prelude SIEM). However we ended up implementing our own solution that reflects our needs the best.
Mentat is designed as a distributed modular system with the emphasis on security, extendability and scalability. The core of the system is implemented similarly to the Postfix MTA. It consists of many simple modules/daemons, each of is responsible for performing a particular ‘simple’ task. This approach enables smooth parallelization and extendability. All modules use the same core service framework, which makes implementing new modules an easy task.
The whole system is implemented in Python3 and uses the PostgreSQL as persistent data storage. It uses the IDEA data model, which is based on JSON format and was specifically designed to describe and contain a wide range of different security events and with further extendability in mind. Mentat itself does not have any network communication protocol for receiving events/messages directly. Instead it relies on the services of Warden security information exchange platform.
Currently, the working prototype of the Mentat system is being operated successfully as a service for customers and partners of CESNET, a.l.e.. It accepts events from many internal and external sources. The system processes approximately 2 million events per day. The crucial and most apparent component of the entire system is an automatic reporter module which distributes information about security incidents directly to the responsible administrators within the CESNET2 network (AS2852).