End-to-End Security Analytics with the Elastic Stack Samir Bennacer!1
!2 Attacks are inevitable
Cybersecurity Maturity Curve Phase 1 Security Event Management Phase 2 Automation Phase 3 Proactive Analytics Security Event Collecti on Data Enrichm ent Detectio n Anomaly Detectio n Incident Respons e Automat ion Threat Hunting Insider Threats
# 1 Security Data Scalability Exploding is more than a checkbox Elastic Edge Scalable from the start Distributed by design Real-time at scale!4
Threats are Scalability always is more than changing a checkbox # 2 Elastic Edge Everything is indexed Do more with machine learnin!5
# 3 Elastic Edge!6 Scalability Alert Fatigue is more than a checkbox Ability to focus on most relevant instead of chasing tickets Focusing on relevance, significance and anomalous behaviour
Advantages of the Elastic Stack improve your security posture Eliminate blind spots by using all your data Investigate threats more quickly and Reduce dwell time by identifying!7 efficiently threats earlier
Foundation for Effective Security Analysis Collect Normalize Enrich Index Collect all parts of the puzzle Normalize for aggregation and correlation across sources Enrich to extend attributes available for analysis Index data for fast search and analytics
Normalization and Enrichment Using Logstash Collect Normalize Enrich Index Beats Logstash Centralized Configuration Management Inputs Filters Outputs RDBMS Beats JDBC Extract Fields Geo Enrich Lookup Enrich DNS Lookups Elasticsearch Elasticsearch Network / Security Data TCP Pattern Matching Kafka Syslog Servers UDP ArcSight Codec RabbitMQ Infra / App Data HTTP IoT / Sensors Persistent Disk Based Queues!9
Intelligence help to improve the effectiveness Option 1 Strategic Tactical Operational Who? Why? Where? What? When? Tactics, techniques, and procedures (TTPs) How? Indicators of compromise (IOCs)!10
Data Enrichment Threat Intelligence Geo IP Information Other Information Reputation information IOCs Vulnerability data TTPs Physical location Country, State, Postal Code Geo Fence Network model User information Org chart DNS resolution!11
Specialized Enrichment Filters 1 2 3 4 Geoip filter Useragent filter CIDR filter DNS filter!12
Generic Enrichment Filters 1 2 3 4 Translate filter Elasticsearch filter JDBC streaming filter JDBC static filter!13
Alerting on Threats with fewer false positives!14
!15 Event Correlation with Alerting The mechanics of a Watch
Integrating Alerts with Other Systems Security Applications SDN Switches Messaging Services!16 Robotic Process Automation Elasticsearch Issue Tracking Services
Webhook Example "webhook" : { "method" : "POST", "url" : "https://api.github.com/repos/<owner>/<repo>/issues", "body": "{{#tojson}}ctx.payload{{/tojson}}", "auth" : { "basic" : { "username" : "<username>", "password" : "<password>"...
Detecting Anomalies using machine learning!18
What is Normal? When something behaves like itself Monday When something behaves like its peers Tuesday Wednesday Thursday Friday!19
When abnormal matters User Behavior Unusual authentication activity Unusual file access Host Behavior Free disk space lower than average Unusual log entries Network Behavior!20 Unusual connections between hosts Higher than average data transfer Application Behavior Service response time abnormally high Dropped connections exceed normal high memory alerts -- server 1 -- server 2 -- server 3
The advantages of anomaly-driven alerting!21 Understan d Seasonalit y Reduce False Positives Identify Areas of Focus Avoid Manual Threshold Review and Revision
Threat Hunting and the intelligence enrichment cycle!22
Threat Modeling developing a hypothesis Who is your Adversary? What is their Motivation? What are they targeting? What is the Impact of a successful attack?!23
The intelligence feedback loop Intelligen Operatio Intelligen ce Hypothesis ns Investigati on New Pattern s and IOA IOCs ce Inform and Enrich What are you looking for? Different data sets Identify the patterns Feed the IOCs back create new alerts to improve the speed of the detection
The intelligence feedback loop Intelligen ce Operatio ns
The Elastic Stack Enables Quick Iteration speed is king Eliminate blind spots by using all your data Investigate threats more quickly and Reduce dwell time by identifying!26 efficiently threats earlier
Cybersecurity Maturity Curve Phase 1 Security Event Management Phase 2 Automation Phase 3 Proactive Analytics Security Event Collecti on Data Enrichm ent Detectio n Anomaly Detectio n Incident Respons e Automat ion Threat Hunting Insider Threats!27
Questions? Come to Demo Booth!!28