End-to-End Security Analytics with the Elastic Stack. Samir Bennacer

Similar documents
esendpoint Next-gen endpoint threat detection and response

Ingest. David Pilato, Developer Evangelist Paris, 31 Janvier 2017

Ingest. Aaron Mildenstein, Consulting Architect Tokyo Dec 14, 2017

Application monitoring with BELK. Nishant Sahay, Sr. Architect Bhavani Ananth, Architect

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

ForeScout Extended Module for Carbon Black

Incident Response Agility: Leverage the Past and Present into the Future

Hunting Threats In your Enterprise

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Cybersecurity Intelligence Gathering, Sharing and Reacting

Qualys Cloud Platform

Compare Security Analytics Solutions

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

ENDPOINT SECURITY AND THE CLOUD: HOW TO APPLY PREDICTIVE ANALYTICS AND BIG DATA

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

RSA INCIDENT RESPONSE SERVICES

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Monitor your infrastructure with the Elastic Beats. Monica Sarbu

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Monitor your containers with the Elastic Stack. Monica Sarbu

Post-Exploitation Hunting with ATT&CK & Elastic

Integrated, Intelligence driven Cyber Threat Hunting

RSA INCIDENT RESPONSE SERVICES

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

THE EVOLUTION OF SIEM

CYBERSECURITY MATURITY ASSESSMENT

Un SOC avanzato per una efficace risposta al cybercrime

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Threat Hunting in Modern Networks. David Biser

ICS Security Monitoring

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Future of Threat Prevention

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

Resolving Security s Biggest Productivity Killer

RSA ECAT DETECT, ANALYZE, RESPOND!

NetFlow Optimizer. Overview. Version (Build ) May 2017

ForeScout Extended Module for Splunk

PALANTIR CYBERMESH INTRODUCTION

Forensic Network Analysis in the Time of APTs

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

The New Era of Cognitive Security

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

SIEM Solutions from McAfee

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

An All-Source Approach to Threat Intelligence Using Recorded Future

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

IBM Security QRadar SIEM Version Getting Started Guide

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Operationalizing the Three Principles of Advanced Threat Detection

OSSIM Fast Guide

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

The Axis of Physical and Cyber Security providing three-dimensional threat protection

Automated Context and Incident Response

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Top 10 use cases of HP ArcSight Logger

Building a Threat-Based Cyber Team

ForeScout Extended Module for ArcSight

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Avoiding Information Overload: Automated Data Processing with n6

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7. User Guide IBM

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment

Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16

Unlocking the Power of the Cloud

CYBER THREAT HUNTING DETECT ADVANCED THREATS HIDING IN YOUR NETWORK. A guide to the most effective methods.

SIEMLESS THREAT DETECTION FOR AWS

Protect Session B10039 ArcSight Activate Threat Intelligence Packages

Network Traffic Visibility and Anomaly October 27th, 2016 Dan Ellis

CyberArk Privileged Threat Analytics

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

THREAT HUNTING REPORT

From Reactive to Proactive: How to Avoid Alert Fatigue

4/13/2018. Certified Analyst Program Infosheet

intelop Stealth IPS false Positive

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

RULES VERSUS MODELS IN YOUR SIEM

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Optimizing IBM QRadar Advisor with Watson

CSE 565 Computer Security Fall 2018

RSA Security Analytics

Evolution Of Cyber Threats & Defense Approaches

Transcription:

End-to-End Security Analytics with the Elastic Stack Samir Bennacer!1

!2 Attacks are inevitable

Cybersecurity Maturity Curve Phase 1 Security Event Management Phase 2 Automation Phase 3 Proactive Analytics Security Event Collecti on Data Enrichm ent Detectio n Anomaly Detectio n Incident Respons e Automat ion Threat Hunting Insider Threats

# 1 Security Data Scalability Exploding is more than a checkbox Elastic Edge Scalable from the start Distributed by design Real-time at scale!4

Threats are Scalability always is more than changing a checkbox # 2 Elastic Edge Everything is indexed Do more with machine learnin!5

# 3 Elastic Edge!6 Scalability Alert Fatigue is more than a checkbox Ability to focus on most relevant instead of chasing tickets Focusing on relevance, significance and anomalous behaviour

Advantages of the Elastic Stack improve your security posture Eliminate blind spots by using all your data Investigate threats more quickly and Reduce dwell time by identifying!7 efficiently threats earlier

Foundation for Effective Security Analysis Collect Normalize Enrich Index Collect all parts of the puzzle Normalize for aggregation and correlation across sources Enrich to extend attributes available for analysis Index data for fast search and analytics

Normalization and Enrichment Using Logstash Collect Normalize Enrich Index Beats Logstash Centralized Configuration Management Inputs Filters Outputs RDBMS Beats JDBC Extract Fields Geo Enrich Lookup Enrich DNS Lookups Elasticsearch Elasticsearch Network / Security Data TCP Pattern Matching Kafka Syslog Servers UDP ArcSight Codec RabbitMQ Infra / App Data HTTP IoT / Sensors Persistent Disk Based Queues!9

Intelligence help to improve the effectiveness Option 1 Strategic Tactical Operational Who? Why? Where? What? When? Tactics, techniques, and procedures (TTPs) How? Indicators of compromise (IOCs)!10

Data Enrichment Threat Intelligence Geo IP Information Other Information Reputation information IOCs Vulnerability data TTPs Physical location Country, State, Postal Code Geo Fence Network model User information Org chart DNS resolution!11

Specialized Enrichment Filters 1 2 3 4 Geoip filter Useragent filter CIDR filter DNS filter!12

Generic Enrichment Filters 1 2 3 4 Translate filter Elasticsearch filter JDBC streaming filter JDBC static filter!13

Alerting on Threats with fewer false positives!14

!15 Event Correlation with Alerting The mechanics of a Watch

Integrating Alerts with Other Systems Security Applications SDN Switches Messaging Services!16 Robotic Process Automation Elasticsearch Issue Tracking Services

Webhook Example "webhook" : { "method" : "POST", "url" : "https://api.github.com/repos/<owner>/<repo>/issues", "body": "{{#tojson}}ctx.payload{{/tojson}}", "auth" : { "basic" : { "username" : "<username>", "password" : "<password>"...

Detecting Anomalies using machine learning!18

What is Normal? When something behaves like itself Monday When something behaves like its peers Tuesday Wednesday Thursday Friday!19

When abnormal matters User Behavior Unusual authentication activity Unusual file access Host Behavior Free disk space lower than average Unusual log entries Network Behavior!20 Unusual connections between hosts Higher than average data transfer Application Behavior Service response time abnormally high Dropped connections exceed normal high memory alerts -- server 1 -- server 2 -- server 3

The advantages of anomaly-driven alerting!21 Understan d Seasonalit y Reduce False Positives Identify Areas of Focus Avoid Manual Threshold Review and Revision

Threat Hunting and the intelligence enrichment cycle!22

Threat Modeling developing a hypothesis Who is your Adversary? What is their Motivation? What are they targeting? What is the Impact of a successful attack?!23

The intelligence feedback loop Intelligen Operatio Intelligen ce Hypothesis ns Investigati on New Pattern s and IOA IOCs ce Inform and Enrich What are you looking for? Different data sets Identify the patterns Feed the IOCs back create new alerts to improve the speed of the detection

The intelligence feedback loop Intelligen ce Operatio ns

The Elastic Stack Enables Quick Iteration speed is king Eliminate blind spots by using all your data Investigate threats more quickly and Reduce dwell time by identifying!26 efficiently threats earlier

Cybersecurity Maturity Curve Phase 1 Security Event Management Phase 2 Automation Phase 3 Proactive Analytics Security Event Collecti on Data Enrichm ent Detectio n Anomaly Detectio n Incident Respons e Automat ion Threat Hunting Insider Threats!27

Questions? Come to Demo Booth!!28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback