SlideShare a Scribd company logo

Processing TeraBytes of data every day and sleeping at night

Luciano Mammino, profile picture
Luciano Mammino

The document discusses the experiences of the Loige team regarding their cloud-based project, Cognito, aimed at enhancing cybersecurity through AI. It details incidents faced during development, lessons learned in handling AWS infrastructure, and best practices for incident management and development processes. It emphasizes the importance of clear procedures, effective monitoring, and continuous improvement to mitigate operational challenges.

Technology
1 of 67
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Processing Terabytes of data every day … and sleeping at night @katavic_d - @loige User Group Dublin 05/02/2019 loige.link/tera-dub
Domagoj KatavicSenior Software Engineer 🐦 @katavic_d 😸 github.com/dkatavic
Luciano Mammino Cloud Architect 🐦 @loige 😸 github.com/lmammino loige.co 4.7 out of 5 stars on Amazon.com With @mariocasciaro
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
AI to detect and hunt for cyber attackers Cognito Platform ● Detect ● Recall @katavic_d - @loige
Cognito Detect on premise solution ● Analyzing network traffic and logs ● Uses AI to deliver real-time attack visibility ● Behaviour driven Host centric ● Provides threat context and most relevant attack details @katavic_d - @loige
@katavic_d - @loige
Cognito Recall ● Collects network metadata and stores it in “the cloud” ● Data is processed, enriched and standardised ● Data is made searchable @katavic_d - @loige A new Vectra product for Incident Response
Recall requirements ● Data isolation ● Ingestion speed: ~2GB/min x customer (up ~3TB x day per customer) ● Investigation tool: Flexible data exploration @katavic_d - @loige
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
Our first iteration @katavic_d - @loige
@katavic_d - @loige Control plane Centralised Logging & Metrics
Security ● Separate VPCs ● Strict Security Groups (whitelisting) ● Red, amber, green subnets ● Encryption at rest through AWS services ● Client Certificates + TLS ● Pentest @katavic_d - @loige
Let’s start the beta! @katavic_d - @loige
Warning: different timezones! A cu m Our ne * @katavic_d - @loige *yeah, we actually look that cute when we sleep!
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
@katavic_d - @loige
@katavic_d - @loige
Lambda timeouts incident ● AWS Lambda timeout: 5 minutes 15 minutes ● We are receiving files every minute (containing 1 minute of network traffic) ● During peak hours for the biggest customer, files can be too big to be processed within timeout limits @katavic_d - @loige
Splitter lambda @katavic_d - @loige
Message-aware splitting
Lessons learned ● Predictable data input for predictable performance ● Data ingestion parallelization (exploiting serverless capabilities) @katavic_d - @loige
@katavic_d - @loige
Lambdas IP starvation incident ● Spinning up many lambdas consumed all the available IPs in a subnet ● Failure to get an IP for the new ES machines ● ElasticSearch cannot scale up ● Solution: separate ElasticSearch and Lambda subnets @katavic_d - @loige GI IP!
Lessons learned ● Every running lambda inside a VPC uses an ENI (Elastic Network Interface) ● Every ENI takes a private IP address ● Edge conditions or bugs might generate spikes in the number of running lambdas and you might run out of IPs in the subnet! ● Consider putting lambdas in their dedicated subnet @katavic_d - @loige
@katavic_d - @loige
@katavic_d - @loige Missing data incident
@katavic_d - @loige
@katavic_d - @loige
● New lambda version: triggered insertion failures ● ElasticSearch rejecting inserts and logging errors ● Our log reporting agents got stuck (we DDoS’d ourselves!) ● Monitoring/Alerting failed Resolution: ● Fix mismatching schema ● Scaled out centralised logging system Why didn’t we receive the page @katavic_d - @loige
Alerting on lambda failures Using logs: ● Best case: no logs ● Worst case: no logs (available)! A better approach: ● Attach a DLQ to your lambdas ● Alert on queue size with CloudWatch! ● Visibility on Lambda retries @katavic_d - @loige
@katavic_d - @loige
@katavic_d - @loige
@katavic_d - @loige
Fast retry at peak times ● Lambda retry logic is not configurable loige.link/lambda-retry ● Most events will be retried 2 times ● Time between retry attempts is not clearly defined (observed in the order of few seconds) ● What if all retry attempts happen at peak times? @katavic_d - @loige
Fast retry at peak times @katavic_d - @loige
Fast retry at peak times Processing in these range of time is likely to succeed@katavic_d - @loige
Fast retry at peak times @katavic_d - @loige
Fast retry at peak times Processing in this range of time is likely to fail@katavic_d - @loige
Fast retry at peak times If retries are in the same zone, the message will fail and go to the DLQ 1st retry 2nd retry
Can we extend the retry period in case of failure? @katavic_d - @loige
@katavic_d - @loige Extended retry period We normally trigger our ingestion Lambda when a new file is stored in S3
@katavic_d - @loige Extended retry period If the Lambda fails, the event is automatically retried, up to 2 times
@katavic_d - @loige Extended retry period If the Lambda still fails, the event is copied to the Dead Letter Queue (DLQ)
@katavic_d - @loige Extended retry period At this point our Lambda, can receive an SQS event from the DLQ (custom retry logic)
@katavic_d - @loige Extended retry period If the processing still fails, we can extend the VisibilityTimeout (event delay) x3
@katavic_d - @loige Extended retry period If the processing still fails, we eventually drop the message and alert for manual intervention. x3
Lessons learned ● Cannot always rely on the default retry logic ● SQS events + DLQ = custom SERVERLESS retry logic ● Now we only alert on custom metrics when we are sure the event will fail (logic error) ● https://loige.link/async-lambda-retry @katavic_d - @loige
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
AWS nuances ● Serverless is generally cheap, but be careful! ○ You are paying for wait time ○ Bugs may be expensive ○ 100ms charging blocks ● https://loige.link/lambda-pricing ● https://loige.link/serverless-costs-all-wrong @katavic_d - @loige
AWS nuances ● Not every service/feature is available in every region or AZ ○ SQS FIFO :( ○ Not all AWS regions have 3 AZs ○ Not all instance types are available in every availability zone ● https://loige.link/aws-regional-services @katavic_d - @loige
AWS nuances ● Limits everywhere! ○ Soft vs hard limits ○ Take them into account in your design ● https://loige.link/aws-service-limits @katavic_d - @loige
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
Process How to deal with incidents ● Page ● Engineers on call ● Incident Retrospective ● Actions @katavic_d - @loige
Pages ● Page is an alarm for people on call (Pagerduty) ● Rotate ops & devs (share the pain) ● Generate pages from different sources (Logs, Cloudwatch, SNS, grafana, etc) ● When a page is received, it needs to be acknowledged or it is automatically escalated ● If customer facing (e.g. service not available), customer is notified @katavic_d - @loige
Engineers on call 1. Use operational handbook 2. Might escalate to other engineers 3. Find mitigation / remediation 4. Update handbook 5. Prepare for retrospective @katavic_d - @loige
Incidents Retrospective "Regardless of what we discover, we understand and truly believe that everyone did the best job they could, given what they knew at the time, their skills and abilities, the resources available, and the situation at hand." – Nor t , Pro t R os t e : A Han k o T m e TLDR; NOT A BLAMING GAME! @katavic_d - @loige
Incidents Retrospective ● Summary ● Events timeline ● Contributing Factors ● Remediation / Solution ● Actions for the future ● Transparency @katavic_d - @loige
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
Development best practices ● Regular Retrospectives (not just for incidents) ○ What’s good ○ What’s bad ○ Actions to improve ● Kanban Board ○ All work visible ○ One card at the time ○ Work In Progress limit ○ “Stop Starting Start Finishing” @katavic_d - @loige
Development best practices ● Clear acceptance criteria ○ Collectively defined (3 amigos) ○ Make sure you know when a card is done ● Split the work in small cards ○ High throughput ○ More predictability ● Bugs take priority over features! @katavic_d - @loige
Development best practices ● Pair programming ○ Share the knowledge/responsibility ○ Improve team dynamics ○ Enforced by low WIP limit ● Quality over deadlines ● Don’t estimate without data @katavic_d - @loige
Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
Release process ● Infrastructure as a code ○ Deterministic deployments ○ Infrastructure versioning using git ● No “snowflakes”, one code base for all customers ● Feature flags: ○ Special features ○ Soft releases ● Automated tests before release @katavic_d - @loige
Conclusion @katavic_d - @loige We are still waking up at night sometimes, but we are definitely sleeping a lot more and better! Takeaways: ● Have healthy and clear processes ● Always review and strive for improvement ● Monitor/Instrument as much as you can (even monitoring) ● Use managed services to reduce the operational overhead (but learn their nuances)
We are hiring … Talk to us!@katavic_d - @loige Thank you! loige.link/tera-dub
Credits Pictures from Unsplash Huge thanks for support and reviews to: ● All the Vectra team ● Yan Cui (@theburningmonk) ● Paul Dolan ● @gbinside ● @augeva ● @Podgeypoos79 ● @PawrickMannion ● @micktwomey ● Vedran Jukic

More Related Content

PDF
Processing TeraBytes of data every day and sleeping at night
Luciano Mammino
 
PDF
Processing Terabytes of data every day … and sleeping at night (infiniteConf ...
Luciano Mammino
 
PDF
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Tim Bozarth
 
PDF
Netflix OSS Meetup Season 4 Episode 4
aspyker
 
PPTX
The Road to Kubernetes
Deniz Zoeteman
 
PDF
PDX Serverless Meetup - Self-Healing Serverless Applications
Nate Taggart
 
PDF
Self-Healing Serverless Applications (Stackery @ GlueCon 2018)
Nate Taggart
 
PDF
SpringOne 2016 in a nutshell
Jeroen Resoort
 
Processing TeraBytes of data every day and sleeping at night
Luciano Mammino
 
Processing Terabytes of data every day … and sleeping at night (infiniteConf ...
Luciano Mammino
 
Netflix: From Zero to Production-Ready in Minutes (QCon 2017)
Tim Bozarth
 
Netflix OSS Meetup Season 4 Episode 4
aspyker
 
The Road to Kubernetes
Deniz Zoeteman
 
PDX Serverless Meetup - Self-Healing Serverless Applications
Nate Taggart
 
Self-Healing Serverless Applications (Stackery @ GlueCon 2018)
Nate Taggart
 
SpringOne 2016 in a nutshell
Jeroen Resoort
 

What's hot (20)

PDF
Top conf serverlezz
Antons Kranga
 
PDF
NetflixOSS Meetup season 3 episode 1
Ruslan Meshenberg
 
PDF
Cloud Native Patterns Meetup 2019-11-20
RegisWilson1
 
PPTX
How and why GraalVM is quickly becoming relevant for you (DOAG 2020)
Lucas Jellema
 
PDF
Building a serverless company on AWS lambda and Serverless framework
Luciano Mammino
 
PDF
Front-end for Java developers Devoxx France 2018
Deepu K Sasidharan
 
KEY
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Nick Galbreath
 
PDF
Flagger: Istio Progressive Delivery Operator
Weaveworks
 
PDF
Microservices with Micronaut
QAware GmbH
 
PDF
Extending your applications to the edge with CDNs
SergeyChernyshev
 
PDF
Understanding time in structured streaming
datamantra
 
PDF
Modern Monitoring [ with Prometheus ]
Haggai Philip Zagury
 
PDF
Microservices and serverless in python projects
Jose Manuel Ortega Candel
 
PDF
OpenFlow @ Google
Open Networking Summits
 
PDF
Altitude SF 2017: Building a continuous deployment pipeline
Fastly
 
PDF
Apache Beam and Google Cloud Dataflow - IDG - final
Sub Szabolcs Feczak
 
PDF
Иван Бурмистров "Строго ориентированная последовательность временных событий"...
it-people
 
PDF
Samza at LinkedIn
Venu Ryali
 
PPTX
Reactive Java: Promises and Streams with Reakt (JavaOne talk 2016)
Rick Hightower
 
PDF
FluentD vs. Logstash
All Things Open
 
Top conf serverlezz
Antons Kranga
 
NetflixOSS Meetup season 3 episode 1
Ruslan Meshenberg
 
Cloud Native Patterns Meetup 2019-11-20
RegisWilson1
 
How and why GraalVM is quickly becoming relevant for you (DOAG 2020)
Lucas Jellema
 
Building a serverless company on AWS lambda and Serverless framework
Luciano Mammino
 
Front-end for Java developers Devoxx France 2018
Deepu K Sasidharan
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Nick Galbreath
 
Flagger: Istio Progressive Delivery Operator
Weaveworks
 
Microservices with Micronaut
QAware GmbH
 
Extending your applications to the edge with CDNs
SergeyChernyshev
 
Understanding time in structured streaming
datamantra
 
Modern Monitoring [ with Prometheus ]
Haggai Philip Zagury
 
Microservices and serverless in python projects
Jose Manuel Ortega Candel
 
OpenFlow @ Google
Open Networking Summits
 
Altitude SF 2017: Building a continuous deployment pipeline
Fastly
 
Apache Beam and Google Cloud Dataflow - IDG - final
Sub Szabolcs Feczak
 
Иван Бурмистров "Строго ориентированная последовательность временных событий"...
it-people
 
Samza at LinkedIn
Venu Ryali
 
Reactive Java: Promises and Streams with Reakt (JavaOne talk 2016)
Rick Hightower
 
FluentD vs. Logstash
All Things Open
 
Ad

Similar to Processing TeraBytes of data every day and sleeping at night (20)

PDF
Serverless for High Performance Computing
Luciano Mammino
 
PDF
Serverless for High Performance Computing
Luciano Mammino
 
PPTX
AWS Techniques and lessons writing low cost autoscaling GitLab runners
Anthony Scata
 
PDF
AWS Lambda and Serverless framework: lessons learned while building a serverl...
Luciano Mammino
 
PPTX
Netflix Data Pipeline With Kafka
Steven Wu
 
PPTX
Netflix Data Pipeline With Kafka
Allen (Xiaozhong) Wang
 
PDF
Aws uk ug #8 not everything that happens in vegas stay in vegas
Peter Mounce
 
PPTX
Building real time Data Pipeline using Spark Streaming
datamantra
 
PDF
Writing and deploying serverless python applications
Cesar Cardenas Desales
 
PDF
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Martin Spier
 
PDF
Lessons learned from operating small scale clusters.pdf
decsoham
 
PDF
Lessons learned from operating small scale clusters.pdf
decsoham
 
PPTX
Node.js Web Apps @ ebay scale
Dmytro Semenov
 
PDF
Debugging data pipelines @OLA by Karan Kumar
Shubham Tagra
 
PDF
PyConIT 2018 Writing and deploying serverless python applications
Cesar Cardenas Desales
 
PDF
There is something about serverless
gjdevos
 
PDF
PHP At 5000 Requests Per Second: Hootsuite’s Scaling Story
vanphp
 
PDF
PyConIE 2017 Writing and deploying serverless python applications
Cesar Cardenas Desales
 
PDF
Skillenza Build with Serverless Challenge - Advanced Serverless Concepts
Dhaval Nagar
 
PDF
[AWS Builders] Effective AWS Glue
Amazon Web Services Korea
 
Serverless for High Performance Computing
Luciano Mammino
 
Serverless for High Performance Computing
Luciano Mammino
 
AWS Techniques and lessons writing low cost autoscaling GitLab runners
Anthony Scata
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
Luciano Mammino
 
Netflix Data Pipeline With Kafka
Steven Wu
 
Netflix Data Pipeline With Kafka
Allen (Xiaozhong) Wang
 
Aws uk ug #8 not everything that happens in vegas stay in vegas
Peter Mounce
 
Building real time Data Pipeline using Spark Streaming
datamantra
 
Writing and deploying serverless python applications
Cesar Cardenas Desales
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Martin Spier
 
Lessons learned from operating small scale clusters.pdf
decsoham
 
Lessons learned from operating small scale clusters.pdf
decsoham
 
Node.js Web Apps @ ebay scale
Dmytro Semenov
 
Debugging data pipelines @OLA by Karan Kumar
Shubham Tagra
 
PyConIT 2018 Writing and deploying serverless python applications
Cesar Cardenas Desales
 
There is something about serverless
gjdevos
 
PHP At 5000 Requests Per Second: Hootsuite’s Scaling Story
vanphp
 
PyConIE 2017 Writing and deploying serverless python applications
Cesar Cardenas Desales
 
Skillenza Build with Serverless Challenge - Advanced Serverless Concepts
Dhaval Nagar
 
[AWS Builders] Effective AWS Glue
Amazon Web Services Korea
 
Ad

More from Luciano Mammino (20)

PDF
Serverless Rust: Your Low-Risk Entry Point to Rust in Production (and the ben...
Luciano Mammino
 
PDF
Did you know JavaScript has iterators? DublinJS
Luciano Mammino
 
PDF
What I learned by solving 50 Advent of Code challenges in Rust - RustNation U...
Luciano Mammino
 
PDF
Building an invite-only microsite with Next.js & Airtable - ReactJS Milano
Luciano Mammino
 
PDF
From Node.js to Design Patterns - BuildPiper
Luciano Mammino
 
PDF
Let's build a 0-cost invite-only website with Next.js and Airtable!
Luciano Mammino
 
PDF
Everything I know about S3 pre-signed URLs
Luciano Mammino
 
PDF
JavaScript Iteration Protocols - Workshop NodeConf EU 2022
Luciano Mammino
 
PDF
Building an invite-only microsite with Next.js & Airtable
Luciano Mammino
 
PDF
Let's take the monolith to the cloud 🚀
Luciano Mammino
 
PDF
A look inside the European Covid Green Certificate - Rust Dublin
Luciano Mammino
 
PDF
Monoliths to the cloud!
Luciano Mammino
 
PDF
The senior dev
Luciano Mammino
 
PDF
Node.js: scalability tips - Azure Dev Community Vijayawada
Luciano Mammino
 
PDF
A look inside the European Covid Green Certificate (Codemotion 2021)
Luciano Mammino
 
PDF
AWS Observability Made Simple
Luciano Mammino
 
PDF
Semplificare l'observability per progetti Serverless
Luciano Mammino
 
PDF
Finding a lost song with Node.js and async iterators - NodeConf Remote 2021
Luciano Mammino
 
PDF
Finding a lost song with Node.js and async iterators - EnterJS 2021
Luciano Mammino
 
PDF
How to send gzipped requests with boto3
Luciano Mammino
 
Serverless Rust: Your Low-Risk Entry Point to Rust in Production (and the ben...
Luciano Mammino
 
Did you know JavaScript has iterators? DublinJS
Luciano Mammino
 
What I learned by solving 50 Advent of Code challenges in Rust - RustNation U...
Luciano Mammino
 
Building an invite-only microsite with Next.js & Airtable - ReactJS Milano
Luciano Mammino
 
From Node.js to Design Patterns - BuildPiper
Luciano Mammino
 
Let's build a 0-cost invite-only website with Next.js and Airtable!
Luciano Mammino
 
Everything I know about S3 pre-signed URLs
Luciano Mammino
 
JavaScript Iteration Protocols - Workshop NodeConf EU 2022
Luciano Mammino
 
Building an invite-only microsite with Next.js & Airtable
Luciano Mammino
 
Let's take the monolith to the cloud 🚀
Luciano Mammino
 
A look inside the European Covid Green Certificate - Rust Dublin
Luciano Mammino
 
Monoliths to the cloud!
Luciano Mammino
 
The senior dev
Luciano Mammino
 
Node.js: scalability tips - Azure Dev Community Vijayawada
Luciano Mammino
 
A look inside the European Covid Green Certificate (Codemotion 2021)
Luciano Mammino
 
AWS Observability Made Simple
Luciano Mammino
 
Semplificare l'observability per progetti Serverless
Luciano Mammino
 
Finding a lost song with Node.js and async iterators - NodeConf Remote 2021
Luciano Mammino
 
Finding a lost song with Node.js and async iterators - EnterJS 2021
Luciano Mammino
 
How to send gzipped requests with boto3
Luciano Mammino
 

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

Processing TeraBytes of data every day and sleeping at night

  • 1. Processing Terabytes of data every day … and sleeping at night @katavic_d - @loige User Group Dublin 05/02/2019 loige.link/tera-dub
  • 2. Domagoj KatavicSenior Software Engineer 🐦 @katavic_d 😸 github.com/dkatavic
  • 3. Luciano Mammino Cloud Architect 🐦 @loige 😸 github.com/lmammino loige.co 4.7 out of 5 stars on Amazon.com With @mariocasciaro
  • 4. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 5. AI to detect and hunt for cyber attackers Cognito Platform ● Detect ● Recall @katavic_d - @loige
  • 6. Cognito Detect on premise solution ● Analyzing network traffic and logs ● Uses AI to deliver real-time attack visibility ● Behaviour driven Host centric ● Provides threat context and most relevant attack details @katavic_d - @loige
  • 8. Cognito Recall ● Collects network metadata and stores it in “the cloud” ● Data is processed, enriched and standardised ● Data is made searchable @katavic_d - @loige A new Vectra product for Incident Response
  • 9. Recall requirements ● Data isolation ● Ingestion speed: ~2GB/min x customer (up ~3TB x day per customer) ● Investigation tool: Flexible data exploration @katavic_d - @loige
  • 10. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 12. @katavic_d - @loige Control plane Centralised Logging & Metrics
  • 13. Security ● Separate VPCs ● Strict Security Groups (whitelisting) ● Red, amber, green subnets ● Encryption at rest through AWS services ● Client Certificates + TLS ● Pentest @katavic_d - @loige
  • 14. Let’s start the beta! @katavic_d - @loige
  • 15. Warning: different timezones! A cu m Our ne * @katavic_d - @loige *yeah, we actually look that cute when we sleep!
  • 16. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 19. Lambda timeouts incident ● AWS Lambda timeout: 5 minutes 15 minutes ● We are receiving files every minute (containing 1 minute of network traffic) ● During peak hours for the biggest customer, files can be too big to be processed within timeout limits @katavic_d - @loige
  • 22. Lessons learned ● Predictable data input for predictable performance ● Data ingestion parallelization (exploiting serverless capabilities) @katavic_d - @loige
  • 24. Lambdas IP starvation incident ● Spinning up many lambdas consumed all the available IPs in a subnet ● Failure to get an IP for the new ES machines ● ElasticSearch cannot scale up ● Solution: separate ElasticSearch and Lambda subnets @katavic_d - @loige GI IP!
  • 25. Lessons learned ● Every running lambda inside a VPC uses an ENI (Elastic Network Interface) ● Every ENI takes a private IP address ● Edge conditions or bugs might generate spikes in the number of running lambdas and you might run out of IPs in the subnet! ● Consider putting lambdas in their dedicated subnet @katavic_d - @loige
  • 30. ● New lambda version: triggered insertion failures ● ElasticSearch rejecting inserts and logging errors ● Our log reporting agents got stuck (we DDoS’d ourselves!) ● Monitoring/Alerting failed Resolution: ● Fix mismatching schema ● Scaled out centralised logging system Why didn’t we receive the page @katavic_d - @loige
  • 31. Alerting on lambda failures Using logs: ● Best case: no logs ● Worst case: no logs (available)! A better approach: ● Attach a DLQ to your lambdas ● Alert on queue size with CloudWatch! ● Visibility on Lambda retries @katavic_d - @loige
  • 35. Fast retry at peak times ● Lambda retry logic is not configurable loige.link/lambda-retry ● Most events will be retried 2 times ● Time between retry attempts is not clearly defined (observed in the order of few seconds) ● What if all retry attempts happen at peak times? @katavic_d - @loige
  • 36. Fast retry at peak times @katavic_d - @loige
  • 37. Fast retry at peak times Processing in these range of time is likely to succeed@katavic_d - @loige
  • 38. Fast retry at peak times @katavic_d - @loige
  • 39. Fast retry at peak times Processing in this range of time is likely to fail@katavic_d - @loige
  • 40. Fast retry at peak times If retries are in the same zone, the message will fail and go to the DLQ 1st retry 2nd retry
  • 41. Can we extend the retry period in case of failure? @katavic_d - @loige
  • 42. @katavic_d - @loige Extended retry period We normally trigger our ingestion Lambda when a new file is stored in S3
  • 43. @katavic_d - @loige Extended retry period If the Lambda fails, the event is automatically retried, up to 2 times
  • 44. @katavic_d - @loige Extended retry period If the Lambda still fails, the event is copied to the Dead Letter Queue (DLQ)
  • 45. @katavic_d - @loige Extended retry period At this point our Lambda, can receive an SQS event from the DLQ (custom retry logic)
  • 46. @katavic_d - @loige Extended retry period If the processing still fails, we can extend the VisibilityTimeout (event delay) x3
  • 47. @katavic_d - @loige Extended retry period If the processing still fails, we eventually drop the message and alert for manual intervention. x3
  • 48. Lessons learned ● Cannot always rely on the default retry logic ● SQS events + DLQ = custom SERVERLESS retry logic ● Now we only alert on custom metrics when we are sure the event will fail (logic error) ● https://loige.link/async-lambda-retry @katavic_d - @loige
  • 49. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 50. AWS nuances ● Serverless is generally cheap, but be careful! ○ You are paying for wait time ○ Bugs may be expensive ○ 100ms charging blocks ● https://loige.link/lambda-pricing ● https://loige.link/serverless-costs-all-wrong @katavic_d - @loige
  • 51. AWS nuances ● Not every service/feature is available in every region or AZ ○ SQS FIFO :( ○ Not all AWS regions have 3 AZs ○ Not all instance types are available in every availability zone ● https://loige.link/aws-regional-services @katavic_d - @loige
  • 52. AWS nuances ● Limits everywhere! ○ Soft vs hard limits ○ Take them into account in your design ● https://loige.link/aws-service-limits @katavic_d - @loige
  • 53. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 54. Process How to deal with incidents ● Page ● Engineers on call ● Incident Retrospective ● Actions @katavic_d - @loige
  • 55. Pages ● Page is an alarm for people on call (Pagerduty) ● Rotate ops & devs (share the pain) ● Generate pages from different sources (Logs, Cloudwatch, SNS, grafana, etc) ● When a page is received, it needs to be acknowledged or it is automatically escalated ● If customer facing (e.g. service not available), customer is notified @katavic_d - @loige
  • 56. Engineers on call 1. Use operational handbook 2. Might escalate to other engineers 3. Find mitigation / remediation 4. Update handbook 5. Prepare for retrospective @katavic_d - @loige
  • 57. Incidents Retrospective "Regardless of what we discover, we understand and truly believe that everyone did the best job they could, given what they knew at the time, their skills and abilities, the resources available, and the situation at hand." – Nor t , Pro t R os t e : A Han k o T m e TLDR; NOT A BLAMING GAME! @katavic_d - @loige
  • 58. Incidents Retrospective ● Summary ● Events timeline ● Contributing Factors ● Remediation / Solution ● Actions for the future ● Transparency @katavic_d - @loige
  • 59. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 60. Development best practices ● Regular Retrospectives (not just for incidents) ○ What’s good ○ What’s bad ○ Actions to improve ● Kanban Board ○ All work visible ○ One card at the time ○ Work In Progress limit ○ “Stop Starting Start Finishing” @katavic_d - @loige
  • 61. Development best practices ● Clear acceptance criteria ○ Collectively defined (3 amigos) ○ Make sure you know when a card is done ● Split the work in small cards ○ High throughput ○ More predictability ● Bugs take priority over features! @katavic_d - @loige
  • 62. Development best practices ● Pair programming ○ Share the knowledge/responsibility ○ Improve team dynamics ○ Enforced by low WIP limit ● Quality over deadlines ● Don’t estimate without data @katavic_d - @loige
  • 63. Agenda ● The problem space ● Our first MVP & Beta period ● INCIDENTS! And lessons learned ● AWS Nuances ● Process to deal with incidents ● Development best practices ● Release process @katavic_d - @loige
  • 64. Release process ● Infrastructure as a code ○ Deterministic deployments ○ Infrastructure versioning using git ● No “snowflakes”, one code base for all customers ● Feature flags: ○ Special features ○ Soft releases ● Automated tests before release @katavic_d - @loige
  • 65. Conclusion @katavic_d - @loige We are still waking up at night sometimes, but we are definitely sleeping a lot more and better! Takeaways: ● Have healthy and clear processes ● Always review and strive for improvement ● Monitor/Instrument as much as you can (even monitoring) ● Use managed services to reduce the operational overhead (but learn their nuances)
  • 66. We are hiring … Talk to us!@katavic_d - @loige Thank you! loige.link/tera-dub
  • 67. Credits Pictures from Unsplash Huge thanks for support and reviews to: ● All the Vectra team ● Yan Cui (@theburningmonk) ● Paul Dolan ● @gbinside ● @augeva ● @Podgeypoos79 ● @PawrickMannion ● @micktwomey ● Vedran Jukic