Calvin: A Real-time Security Monitoring Solution

About Calvin & Ministry of Health

During Covid19, the Ministry of Health (VWS) faced a number of new challenges. As they had to develop several new in-house applications related to Covid19, security & privacy by design were paramount in developing and maintaining these applications. In addition, some applications were dealing with sensitive data. This also meant that there was an extra challenge regarding cybersecurity. As few people as possible should have access to the data, but at the same time the user activity of the applications from VWS had to be monitored to prevent malicious intent. These requirements led to the creation of Calvin, a privacy-by-design SOC SIEM solution built in-house with the Ministry of Health.

Calvin is a part of the KAT project (kwetsbaarheden-analyse-tool) an open-source vulnerability analysis tool, which we also worked on as BiteStreams. Calvin will be open-sourced at a later point in time as a component of KAT.

Use-case First SOC/SIEM

As the applications from VWS deal with sensitive data, one of the most important requirements from the get-go was that the solution would have to adhere to privacy-preserving design principles. This meant that use-cases for what we want to monitor had to be set up first and approved by the relevant stakeholders. As opposed to trying to find use-cases for it while looking at user data.

In addition, we had several other technical challenges:

• Support different data formats like events, but also syslog log-data
• Support different input channels for data: monitoring of log files and ingestion of events through a message broker
• Process high amounts of data in real-time
• Support adding different use-cases on top of log-streams and event-streams designed by the CSIRT (computer security incident response team)
• Make the event-parsing, use-cases and applications highly configurable
• Add a time-to-live (TTL) to all the data, approved by the privacy department such that data is not kept indefinitely.

Real-time KSQLdb Use-cases

To tackle the above challenges, we implemented a highly efficient Go application that could process log streams in real-time using Kafka. Since we wanted to use open-source software, we incorporated the relatively new KSQLdb database, since KSQL has excellent support for cybersecurity use-cases. By using KSQL, we can define use-cases dynamically using streaming-queries, ensuring that they are executed in real-time. KSQL can join, aggregate and compare over different time windows. This allows the application to detect security incidents by monitoring the usage of the applications over minutes, hours and days. For example, some of the more simple use-cases that the system monitored were the following:

• Attempts to guess passwords of user accounts by monitoring failed logins
• User privilege monitoring by monitoring for the privilege of users changing
• Detection of brute force login attempts for admin accounts

As the applications developed were all configurable using JSON config files, we could add new log streams, use-cases and applications as we expanded our efforts geared towards better security. In addition, we built a CI/CD pipeline using GitHub actions. Allowing us to easily deploy new versions of the app by building the Go binaries whenever a release was made in GitHub.

Impact for the Ministry of Health

With Calvin, we have set up the groundwork for a modern SOC system, based on open-source software. This resulted in:

• A privacy-by-design SOC/SIEM system
• A fast and performant application for processing logs at scale
• An extendable and configurable open-source solution