Skip to content

CYCLOPS

The CYDERES CNAP Logging & Operations Server (CYCLOPS) is a virtual appliance built to manage various containerized applications on a CYDERES-managed Kubernetes cluster that enable data forwarder to security analytics platforms like CYDERES CNAP, GCP's Chronicle, and Azure Sentinel. Customers are provided a VM appliance from CYDERES to deploy into their environment. Once online, the node enrolls into the CYDERES-managed configuration management system, loads necessary dependencies, and applications are deployed onto the CYCLOPS Kubernetes cluster.

CYCLOPS can be a single node or more joined with additional nodes to form a cluster. This cluster runs in the customer's environment, typically on a virtualization platform (VMware, Hyper-V, KVM, etc). Kubernetes runs on top of CYCLOPS. Kubernetes is a container orchestration platform that allows for simplified container deployments, zero downtime configuration updates, load balancing, high availability, and autoscaling.

From CYCLOPS, CYDERES will deploy containerized applications including our data forwarder technologies, logging/metrics collection for CYCLOPS, CYCLOPS management agents, and some Kubernetes components.

Scope and Sizing

The CYCLOPS size is derived from a combination of 'Events per Second' and data types that will be configured. Data types are defined as differentiated sources of information. For example, EDR, DNS, and DHCP are all separate data types.

CYDERES recommends CYCLOPS be deployed with 4 CPU, 16 GB of RAM, and 100 GB of disk space. This sizing allows for CYCLOPS to be instantly capable to accept new data types or features to be added. CYCLOPS is also flexible enough to be sized up or down depending on deployment scenario with the following guidelines:

Resource Amount Per
CPU 2 10,000 EPS
RAM 1.5 GB Data Type
HDD 50 GB minimum

Deployment

CYDERES will provide an OVA or similarly packaged virtual appliance. The package contains a base Linux operating system with enough necessary dependencies to bootstrap the system and establish initial contact with the CYDERES. The package can be deployed as often as needed to build additional nodes.

CYCLOPS is available as an OVA or an AWS Amazon Machine Image (AMI) that can be shared. If utilizing an AMI, please provide CYDERES with AWS account numbers and regions to share the AMI to.

IMPORTANT: Please provide CYDERES with the hostname(s) you set for the forwarder(s). Providing a unique name that specifically identifies each forwarder will help our team get them on boarded as quickly as possible and help troubleshoot any issues in the future.

Connectivity Requirements

Note: If there is TLS/SSL interception enabled, please also bypass for the domains listed below. If required, a custom DNS server may be used in place of 8.8.8.8 and 8.8.4.4. .cyderes.io port 123 must be used for NTP. Broad opening of sub-domains to .cyderes.cloud and .cyderes.io is encouraged due to changing infrastructure.*

Destination Port Direction
gcr.io TCP/443 External Outbound
malachiteingestion-pa.googleapis.com TCP/443 External Outbound
googleapis.com TCP/443 External Outbound
googleapis.l.google.com TCP/443 External Outbound
accounts.google.com TCP/443 External Outbound
*.cyderes.cloud TCP/80,443 External Outbound
*.cyderes.io TCP/80,123,443 UDP/123 External Outbound
sm-ext-01.cyderes.cloud TCP/4505,4506 External Outbound
docker.com TCP/443 External Outbound
docker.io TCP/443 External Outbound
8.8.8.8 TCP/53, UDP/53 External Outbound
8.8.4.4 TCP/53, UDP/53 External Outbound
Data sources TCP/30000-32767, UDP/30000-32767 Local Inbound

Architecture Diagram

cyclops

Generally, for each data type that is sent to CYCLOPS, a new TCP or UDP listener service will be configured to accept the data. The listener service ports will begin at 30000 and be incremented to accommodate additional data types as needed. For example, if there are two data types being sent over syslog, there would be two listener services on 30000 TCP/UDP and 30001 TCP/UDP.

CYCLOPS will function best when deployed in a load balanced environment to ensure maximum availability. The load balancer should distribute traffic on any TCP or UDP port to allow for new data types listeners on CYCLOPS to be added at any time.

Passive Tap

CYCLOPS can be configured with a passive tap interface giving the ability to gather data for specific traffic flows like DNS and DHCP through packet capture. As CYCLOPS is a virtual appliance, it can be given an additional interface that is configured with promiscuous mode enabled. CYDERES recommends configuring the promiscuous mode interface with only the same VLAN as the traffic it is trying to gather data for. For instance, if you want to capture DNS and DHCP traffic from a virtual domain controller, assign the promiscuous mode interface the same VLAN which the domain controller resides. CYCLOPS must be deployed on the same virtualization host as the device it is trying to capture packet data for. CYCLOPS is configured with a Berkeley Packet Filter (PBF) assigned to it to only capture and send traffic for ports detailed in the filter. The interface assigned to CYCLOPS must be able to handle the amount of traffic that will be sent to it.

VMware Configuration Reference:

https://kb.vmware.com/s/article/1004099