Project Syn Frequently Asked Questions

Document created by Naveen Sunkavally Employee on Dec 8, 2017Last modified by Naveen Sunkavally Employee on Dec 8, 2017
Version 7Show Document
  • View in full screen mode

What is Project Syn?

Project Syn extends the capabilities of RSA Netwitness to provide runtime visibility and threat detection to Docker containers. Project Syn uses statistical techniques and machine learning to detect anomalous container behavior and raise security alerts.


How is Project Syn Deployed?

Project Syn is an agent-based solution that is delivered as a Docker container. Each container host in your environment runs a Syn container. The Syn container is compatible with container orchestration providers such as Kubernetes, DC/OS, and Docker Swarm.


The Syn container passively collects data about other containers on the same host and feeds the data to the Syn cloud service, which analyzes the data and generates alerts. The Syn dashboard presents the alerts.


What are the minimum requirements to run Project Syn?

  • The Syn container is supported on any Linux host or VM capable of supporting Docker. The minimum requirements for Docker on Linux are here.
  • Minor host or VM-level configuration may be required to ensure collection of network flow data.
  • The Syn container must be provisioned with at least 512M of memory.


Does the Syn container require any additional privileges to operate?

Yes, in order to collect the relevant monitoring data, the Syn container is required to run as root and requires the following additional container privileges beyond what is allocated by default:

  • NET_ADMIN capability (--cap-add NET_ADMIN)
  • host-level process namespace privileges (--pid host)
  • host-level network privileges (--network host)
  • access to the local Docker daemon UNIX domain socket via a volume mount (-v /var/run/docker.sock:/var/run/docker.sock)


I Don't Want Yet Another Dashboard. How Do I Route Alerts into my own SIEM Tool?

Project Syn provides a Logstash container that downloads your alerts as they arrive and forwards them to the SIEM tool of your choice. By default the Logstash container integrates with RSA Netwitness Logs.


Can we integrate this with NetWitness for Packets?

At this time the answer is no. We’re working on a solution with our architecture team that will work best for our customers!


What does this solution cost?

Nothing! We hope that participants benefit from our alerts while we are able to learn how to improve our alerts from the data you share with us!


Can I have more than one Syn container associated with my account?

Yes, Syn is designed to support multiple container hosts. There is no limit to the number of Syn containers you may deploy.


Ok I'm Sold. How Do I Get Started?

Check out the Getting Started with Project Syn video, and register here to create an account! And to go more in depth, check out the articles here.