Cyphon is an incident-response platform that receives, processes, and triages events to create a more efficient analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
- Collect
- Cyphon collects data from a variety of sources, including emails, log messages, and social media. It lets you shape the data however you like, so it’s easier for you to analyze. You can also enhance your data with automated analyses, like geocoding.
- Alert
- Cyphon creates alerts for important data as it arrives, so you’re notified when something of interest happens. You can prioritize alerts using custom rulesets, and bundle related alerts so you don't get inundated.
- Respond
- Analysts can quickly investigate alerts by exploring related data, and annotate alerts with their findings. With JIRA integration, they can escalate important alerts by creating a ticket in Service Desk.
Many organizations manage post-processed security events as email notifications, which is incredibly inefficient. An inbox flooded with alert notifications creates an environment where critical issues are overlooked and rarely investigated.
Cyphon eliminates this issue by throttling events and prioritizing them based on user-defined rules. Analysts can quickly investigate incidents by correlating other data sets against indicators that matter. They can then annonate alerts with the results of their analysis.
Today, Cyphon supports integrations with Bro, Snort, Nessus, and other popular security products.
Leveraging publicly available APIs, Cyphon can collect data from streaming sources. Search is based on keywords, geofencing, and adhoc parameters. Cyphon supports the current version of the Twitter Public Streams API.
Cyphon can process events from any sensor type, offering a unique way to analyze information from physical environments.
- Aggregate data from numerous sources: email, logs, social media, and APIs
- Enhance data with automated analyses, like geoip
- Generate custom alerts with push notifications
- Throttle alerts and bundle related incidents
- View alerts by category, priority, and source
- Investigate alerts and track work performed
The Cyphon platform is made up of a backend data processing engine ("Cyphon Engine") and a security operations front end UI for visualization ("Cyclops"). They are maintained in separate projects. The Cyclops project can be found here.
Cyphon works with the help of several open source projects. To get Cyphon up and running, you'll need to install all of its dependencies. We've simplified this process by using Docker, which allows you to easily deploy an application as a set of microservices. Additionally, we've created a set of files for running Cyphon in both development and production environments. Employing a Docker Compose file enables you to quickly install and run Cyphon and the other services it uses, including:
- PostgreSQL relational database
- RabbitMQ message broker
- Logstash data ingestion tool
Our Docker Compose files are available on GitHub as Cyphondock. If you'd like to work with our Docker image directly, you can find it on Docker Hub.
Consult our official documentation to learn more about Cyphon. The docs include set-up instructions and a description of Cyphon’s API. Documentation for Cyclops can be found here.
Cyphon is free software and available for personal or professional use. The Cyphon Project is maintained by Dunbar Cybersecurity and is distributed under a dual license. The Cyphon Engine is distributed under the GPLv3 License. Cyclops is subject to a non-commercial use license.