The PALANTIR architecture creates a closed-loop control environment among the Threat Intelligence and the Security Capabilities Orchestrator components through the enforcement of the SecaaS capabilities.
The Threat Intelligence traces traffic from the network and VNFs through Distributed Collectors, analyses it for signs of malicious activity and outputs the detected anomalies to the Remediation Engine.
The Remediation Engine proposes reactive measures against detected cyberattacks, using a custom modelling, to the Security Capabilities Orchestrator.
The Security Capabilities Orchestrator interprets reactive measures and exerts specific actions and lifecycle management (LCM) messages to the SecaaS capabilities.
The framework is designed for high availability and fault tolerance. Although organic links are formed among components and their outputs, the service-oriented approach does not create a single point of failure. For example, a destructive fault in MANO will not affect the functionality of already running Firewall services, other than e.g. prevent new upgrades to such running service instances for a limited time.
High level PALANTIR architecture
PALANTIR is built around the following main features:
A Risk-based Analysis Framework that allows the quantification of security/privacy vulnerabilities and threats based on security/privacy impact assessment and its correlation with the attack surface analysis.
A set of SecaaS capabilities to be dynamically enforced. Within them, security services are prominent. These are deployed as Virtual Network Functions (VNFs) upon request, thus creating Security-as-a-Service. The VNF approach allows perimeter defences (like firewalls, intrusion detection, etc) to be deployed in the order of seconds in PALANTIR.
When a threat goes undetected by normal perimeter defences, the Threat Intelligence component provides additional protection via Machine Learning. A Remediation and Recommendation Module generates intelligible suggestions to address these security threats.
A Trust, Attestation & Recovery component that periodically attests the infrastructure’s components for signs of compromise. It includes not only physical (computing hardware, switches, routers, etc) and virtual (containerised apps, VNFs or in general, instances of the SecaaS capabilities themselves) systems, but also conceptual artifacts (network topologies, etc).
The Security Capabilities Orchestrator component deals with the instantiation, configuration and management of the security services and, in general, of the SecaaS capabilities; interacting with the key Management and Orchestration (MANO) tools, among others.
A Security Capabilities Catalogue includes signed, trusted packages for the SecaaS capabilities, their security/privacy specifications, their billing information and other metadata (e.g. deployment templates) that are used upon instantiation by the MANO framework.
The Accounting Dashboard, which provides account management per user role (e.g. for the service developers, PALANTIR providers and users). For instance, cybersecurity-related alerts and the status of running services are tracked in the Security Dashboard.