SlideShare a Scribd company logo

Elastic SIEM (Endpoint Security)

Kangaroot
Kangaroot

Elastic Builds Software To Make Data Usable In Real Time And At Scale, Powering Solutions Like Search, Logging, Metrics, Security And more.

Related slideshows

Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
1 of 42
Download to read offline
1 Arthur Eyckerman | Solutions Architect @tuurleyck SIEM & Endpoint Security
2 Store, Search, & Analyze Visualize & Manage Ingest Elastic Stack SOLUTIONS Elastic Stack Kibana Elasticsearch Beats Logstash SaaS SELF-MANAGED Elastic cloud Elastic cloud Enterprise Standalone
SIEM app released 2010 Today Elasticsearch 0.4 released ECS 1.0 released Elasticsearch 1.0 released Growing use of ELK for threat hunting Security consultancy Perched acquired Endgame acquired Logstash joins forces Kibana joins forces Beats to collect all the data Machine learning firm Prelert acquired Elastic Cloud launched
4 Elastic Builds Software To Make Data Usable In Real Time And At Scale, Powering Solutions Like Search, Logging, Metrics, Security And more.
5 Protect your organization
6 Vision To protect the world’s data from attack. Goal Deliver a single security solution, combining SIEM and endpoint, powered by industry-leading and validated protections to reduce risk for any user. Elastic Security
7 RespondDetect Elastic Endpoint Security Elastic SIEM Prevent Optimal protection against cyber threats with integrated Endpoint Security and SIEM Elastic Security
8 Why Elastic for security? Speed Scale Relevance
9 and security analytics is a search problem Elastic is a search company
10 Response Prevention DetectionRetrospection Iterative Prevention falls short
11 Response Prevention DetectionRetrospection Iterative Detection is crucial
12 Threat Detection Approaches Network Analysis Network Forensics Payload Analysis Payload Forensics Endpoint Analysis Endpoint Forensics Log-based Security Analytics TIME-TO-DETECT Real-time or Near-real-time Post-compromise (Days or Weeks)
13 Security data exploding # 1 Elastic Edge • Scalable from start • Distributed by design • Real time at scale
14 New threats every day # 2 Elastic Edge • Everything is indexed • Snappy search at scale • Do more with machine learning
15 Volume pricing not viable # 3 Elastic Edge • Licensing model that puts the customer in control • Flexibility to balance data retention, performance, and cost objectives • Price points that don’t limit decision-making
16 Beyond SIEM Extended SecOps functions beyond SIEM Existing SIEM hitting limits MSSP Data store and search engine for security events Service providers offer managed SIEM solution SIEM Alternative Centralized log collection and security analysis No existing SIEM Custom Security Application Platform for special security projects/apps In-house app dev team creates app OEM Solution Data store, search engine, and analysis platform Security vendor companies build an end-user product Many Security Analytics Use Cases
17 Elastic Security Customers
18 Behaviors Threats Triage SIEM Detection Telemetry Inventory & Vulnerability Management Act Track Hunt Act Track Hunt Behaviors Threats Triage SIEM Detection Telemetry Inventory & Vulnerability Management Adapted from: https://github.com/swannman/ircapabilities by mswann@microsoft.com | @MSwannMSFT | linkedin.com/in/swannman | Used under Creative Commons Attribution 4.0 International Elastic SIEM as Threat Hunting Platform
19 Elastic SIEM
20 Kibana Visualize your Elasticsearch data and navigate the Elastic Stack Elasticsearch A distributed, RESTful search and analytics engine Elastic SIEM A SIEM for Elastic Stack users everywhere Elastic SIEM app Elastic Common Schema (ECS) Network & host data integrations Security content by Elastic & community Beats Logstash Elastic Endpoint
2121 Elastic SIEM Same data. Different questions. Ingest & prepare Ecosystem of network and host data connectors Elastic Common Schema (ECS) Analytics Machine learning and alerting Ad hoc queries at scale Graph analytics Detect, hunt, investigate Automated attack detection Interactive threat hunting Rapid event triage and investigation
22 Auditbeat ● System module (Linux, macOS, Win.): packages, processes, logins, sockets, users and groups ● Auditd module (Linux Kernel Audit info) ● File integrity monitoring (Linux, macOS, Win.) Filebeat ● System logs (auth logs) (Linux) ● Santa (macOS) Winlogbeat ● Windows event logs ● Sysmon Curated integrations Host data
23 Packetbeat ● Flows ● DNS ● Other protocols Filebeat ● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS ● NetFlow, CEF ● Firewall modules: Cisco ASA, FTD, Palo Alto Networks, Ubiquiti IPTables ● Kubernetes modules: CoreDNS, Envoy proxy ● Google VPC flow logs, PubSub Input Curated integrations Network data
24
Elastic Common Schema (ECS) Normalize data to streamline analysis Defines a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is in GA and is being adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs
26 SIEM App Overview Curated workflows for the SOC team Manage security events • Visualize and analyze security events Perform initial triage • Investigate security events, alerts, and alarms • Annotate investigations and create incidents • Handoff incidents to third-party case/incident/orchestration (SOAR) system View SOC security posture • Visualize overall event, alarm, investigation, incident status and history
27 SIEM App Timeline Event Explorer Analyst-friendly qualification and investigation workflows ● Time ordered events ● Drag and drop filtering ● Multi-index search ● Annotations, comments ● Formatted event views ● Persistent storage
28 Integrated ML Detection Trigger jobs and view results in the SIEM app ● Enable and control pre-built and custom ML jobs ● View results in Hosts and Network views ● Links to ML app within Kibana
29 SIEM + Maps Geo-based analysis with Elastic Maps ● Shows source and destination geo location of network data ● Interactive — responds to filters and allows setting filters ● Further plans for SIEM + Maps
30 These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic. Elastic SIEM Ecosystem Security orchestration, automation, response Security incident response General ticket & case management ● Host sources ● Network sources ● Cloud platforms & applications ● User activity sources ● SIEMs & centralized security data stores Community Consulting Education & training Solutions Integrators, Value-added Resellers, MSPs & MSSPs Internal context External context
32 Even more for security analysts to love
3434 Logstash Elastic Endpoint Security As simple as antivirus, but way more powerful Prevents malware and ransomware before damage and loss AI-powered endpoint detection and response Built for today’s hybrid cloud environments Security starts at the endpoint
3535 Attacks have evolved Of companies experienced 1+ attacks that compromised data or IT infrastructure54% Of those attacks utilized exploits or fileless techniques 77% Cyber criminals have broadened their reach to bypass simple security mechanisms and use bespoke software to target your organization. Rise of nation state hacking groups Malware now works to stay hidden Automated and “Malware-as-a-Service” tools have made file-based detection obsolete
3636 Not just malware! Not just files! No single attack technique!
3838 Act Remediate, validate, and learn from the threat Decide Collaborate, scope, and build the response plan Orient Detect, analyze, and visualize the attack Observe Collect, store, and search all your data SecOps OODA Loop
3939 Customizable for your environment Total attack lookback without limitations Protection without signatures Built for any user Key differentiators of Elastic Security
40 Prevent Block threats as early as possible In-line, autonomous prevention Blocks ransomware, phishing, exploits, and malware, with capabilities proven by rigorous third party testing. No cloud-analysis required. Protections mapped to the MITRE ATT&CK matrix It’s not just about the payload. Prevent adversarial behavior before damage and loss. Completely customized controls Create your own protection policy and easily apply it at scale
41 Collect Store, and search all your security data Zero-trust policy Kernel-level data collection and enrichment for adversary tamper resistance Elastic Common Schema Open-source specification for uniform data modeling Instant access to all data sources Security, operations, and more data sources in one product without limitations Elasticsearch at the core The heart of the Stack; search across all your data in an instant
42 Detect Investigate at scale, determine the scope Simple Alert Triage Assign and manage alerts with a simple workflow. Automatic attack visualization ResolverTM view for scoping the attack and root cause analysis, enriched to accelerate and elevate users Global detections with customized machine-learning Pre-loaded, one-click machine-learning analysis across all your data
43 Respond Remediate, eliminate, validate One-click containment Quickly isolate endpoints to prevent further adversary activity Real-time, automated response Autonomous, mIllisecond response actions for detections deeper in the attack lifecycle Detect once, prevent many Easily convert detections to preventions Fits into your existing workflow OOTB integrations to fit into your existing business processes
4444 Ransomware Prevention Phishing Prevention Reflex™ Custom Prevention Malware Prevention Exploit Prevention Fileless attack Prevention Security starts at the endpoint
46 .. and talk to us! Mark Paffen & Arthur Eyckerman Thank You

More Related Content

Elastic SIEM (Endpoint Security)

  • 1. 1 Arthur Eyckerman | Solutions Architect @tuurleyck SIEM & Endpoint Security
  • 2. 2 Store, Search, & Analyze Visualize & Manage Ingest Elastic Stack SOLUTIONS Elastic Stack Kibana Elasticsearch Beats Logstash SaaS SELF-MANAGED Elastic cloud Elastic cloud Enterprise Standalone
  • 3. SIEM app released 2010 Today Elasticsearch 0.4 released ECS 1.0 released Elasticsearch 1.0 released Growing use of ELK for threat hunting Security consultancy Perched acquired Endgame acquired Logstash joins forces Kibana joins forces Beats to collect all the data Machine learning firm Prelert acquired Elastic Cloud launched
  • 4. 4 Elastic Builds Software To Make Data Usable In Real Time And At Scale, Powering Solutions Like Search, Logging, Metrics, Security And more.
  • 6. 6 Vision To protect the world’s data from attack. Goal Deliver a single security solution, combining SIEM and endpoint, powered by industry-leading and validated protections to reduce risk for any user. Elastic Security
  • 7. 7 RespondDetect Elastic Endpoint Security Elastic SIEM Prevent Optimal protection against cyber threats with integrated Endpoint Security and SIEM Elastic Security
  • 8. 8 Why Elastic for security? Speed Scale Relevance
  • 9. 9 and security analytics is a search problem Elastic is a search company
  • 12. 12 Threat Detection Approaches Network Analysis Network Forensics Payload Analysis Payload Forensics Endpoint Analysis Endpoint Forensics Log-based Security Analytics TIME-TO-DETECT Real-time or Near-real-time Post-compromise (Days or Weeks)
  • 13. 13 Security data exploding # 1 Elastic Edge • Scalable from start • Distributed by design • Real time at scale
  • 14. 14 New threats every day # 2 Elastic Edge • Everything is indexed • Snappy search at scale • Do more with machine learning
  • 15. 15 Volume pricing not viable # 3 Elastic Edge • Licensing model that puts the customer in control • Flexibility to balance data retention, performance, and cost objectives • Price points that don’t limit decision-making
  • 16. 16 Beyond SIEM Extended SecOps functions beyond SIEM Existing SIEM hitting limits MSSP Data store and search engine for security events Service providers offer managed SIEM solution SIEM Alternative Centralized log collection and security analysis No existing SIEM Custom Security Application Platform for special security projects/apps In-house app dev team creates app OEM Solution Data store, search engine, and analysis platform Security vendor companies build an end-user product Many Security Analytics Use Cases
  • 18. 18 Behaviors Threats Triage SIEM Detection Telemetry Inventory & Vulnerability Management Act Track Hunt Act Track Hunt Behaviors Threats Triage SIEM Detection Telemetry Inventory & Vulnerability Management Adapted from: https://github.com/swannman/ircapabilities by mswann@microsoft.com | @MSwannMSFT | linkedin.com/in/swannman | Used under Creative Commons Attribution 4.0 International Elastic SIEM as Threat Hunting Platform
  • 20. 20 Kibana Visualize your Elasticsearch data and navigate the Elastic Stack Elasticsearch A distributed, RESTful search and analytics engine Elastic SIEM A SIEM for Elastic Stack users everywhere Elastic SIEM app Elastic Common Schema (ECS) Network & host data integrations Security content by Elastic & community Beats Logstash Elastic Endpoint
  • 21. 2121 Elastic SIEM Same data. Different questions. Ingest & prepare Ecosystem of network and host data connectors Elastic Common Schema (ECS) Analytics Machine learning and alerting Ad hoc queries at scale Graph analytics Detect, hunt, investigate Automated attack detection Interactive threat hunting Rapid event triage and investigation
  • 22. 22 Auditbeat ● System module (Linux, macOS, Win.): packages, processes, logins, sockets, users and groups ● Auditd module (Linux Kernel Audit info) ● File integrity monitoring (Linux, macOS, Win.) Filebeat ● System logs (auth logs) (Linux) ● Santa (macOS) Winlogbeat ● Windows event logs ● Sysmon Curated integrations Host data
  • 23. 23 Packetbeat ● Flows ● DNS ● Other protocols Filebeat ● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS ● NetFlow, CEF ● Firewall modules: Cisco ASA, FTD, Palo Alto Networks, Ubiquiti IPTables ● Kubernetes modules: CoreDNS, Envoy proxy ● Google VPC flow logs, PubSub Input Curated integrations Network data
  • 24. 24
  • 25. Elastic Common Schema (ECS) Normalize data to streamline analysis Defines a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is in GA and is being adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs
  • 26. 26 SIEM App Overview Curated workflows for the SOC team Manage security events • Visualize and analyze security events Perform initial triage • Investigate security events, alerts, and alarms • Annotate investigations and create incidents • Handoff incidents to third-party case/incident/orchestration (SOAR) system View SOC security posture • Visualize overall event, alarm, investigation, incident status and history
  • 27. 27 SIEM App Timeline Event Explorer Analyst-friendly qualification and investigation workflows ● Time ordered events ● Drag and drop filtering ● Multi-index search ● Annotations, comments ● Formatted event views ● Persistent storage
  • 28. 28 Integrated ML Detection Trigger jobs and view results in the SIEM app ● Enable and control pre-built and custom ML jobs ● View results in Hosts and Network views ● Links to ML app within Kibana
  • 29. 29 SIEM + Maps Geo-based analysis with Elastic Maps ● Shows source and destination geo location of network data ● Interactive — responds to filters and allows setting filters ● Further plans for SIEM + Maps
  • 30. 30 These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic. Elastic SIEM Ecosystem Security orchestration, automation, response Security incident response General ticket & case management ● Host sources ● Network sources ● Cloud platforms & applications ● User activity sources ● SIEMs & centralized security data stores Community Consulting Education & training Solutions Integrators, Value-added Resellers, MSPs & MSSPs Internal context External context
  • 31. 32 Even more for security analysts to love
  • 32. 3434 Logstash Elastic Endpoint Security As simple as antivirus, but way more powerful Prevents malware and ransomware before damage and loss AI-powered endpoint detection and response Built for today’s hybrid cloud environments Security starts at the endpoint
  • 33. 3535 Attacks have evolved Of companies experienced 1+ attacks that compromised data or IT infrastructure54% Of those attacks utilized exploits or fileless techniques 77% Cyber criminals have broadened their reach to bypass simple security mechanisms and use bespoke software to target your organization. Rise of nation state hacking groups Malware now works to stay hidden Automated and “Malware-as-a-Service” tools have made file-based detection obsolete
  • 34. 3636 Not just malware! Not just files! No single attack technique!
  • 35. 3838 Act Remediate, validate, and learn from the threat Decide Collaborate, scope, and build the response plan Orient Detect, analyze, and visualize the attack Observe Collect, store, and search all your data SecOps OODA Loop
  • 36. 3939 Customizable for your environment Total attack lookback without limitations Protection without signatures Built for any user Key differentiators of Elastic Security
  • 37. 40 Prevent Block threats as early as possible In-line, autonomous prevention Blocks ransomware, phishing, exploits, and malware, with capabilities proven by rigorous third party testing. No cloud-analysis required. Protections mapped to the MITRE ATT&CK matrix It’s not just about the payload. Prevent adversarial behavior before damage and loss. Completely customized controls Create your own protection policy and easily apply it at scale
  • 38. 41 Collect Store, and search all your security data Zero-trust policy Kernel-level data collection and enrichment for adversary tamper resistance Elastic Common Schema Open-source specification for uniform data modeling Instant access to all data sources Security, operations, and more data sources in one product without limitations Elasticsearch at the core The heart of the Stack; search across all your data in an instant
  • 39. 42 Detect Investigate at scale, determine the scope Simple Alert Triage Assign and manage alerts with a simple workflow. Automatic attack visualization ResolverTM view for scoping the attack and root cause analysis, enriched to accelerate and elevate users Global detections with customized machine-learning Pre-loaded, one-click machine-learning analysis across all your data
  • 40. 43 Respond Remediate, eliminate, validate One-click containment Quickly isolate endpoints to prevent further adversary activity Real-time, automated response Autonomous, mIllisecond response actions for detections deeper in the attack lifecycle Detect once, prevent many Easily convert detections to preventions Fits into your existing workflow OOTB integrations to fit into your existing business processes
  • 42. 46 .. and talk to us! Mark Paffen & Arthur Eyckerman Thank You