Elastic SIEM (Endpoint Security)
- 2. 2
Store, Search, &
Analyze
Visualize &
Manage
Ingest
Elastic Stack
SOLUTIONS
Elastic Stack
Kibana
Elasticsearch
Beats Logstash
SaaS SELF-MANAGED
Elastic cloud Elastic cloud
Enterprise Standalone
- 3. SIEM app
released
2010 Today
Elasticsearch 0.4
released
ECS 1.0
released
Elasticsearch 1.0
released
Growing use of ELK
for threat hunting
Security consultancy
Perched acquired
Endgame
acquired
Logstash
joins forces
Kibana
joins forces
Beats to collect
all the data
Machine learning
firm Prelert acquired
Elastic Cloud
launched
- 4. 4
Elastic Builds Software
To Make Data Usable
In Real Time And At Scale,
Powering Solutions Like
Search,
Logging,
Metrics, Security
And more.
- 6. 6
Vision
To protect the world’s data from attack.
Goal
Deliver a single security solution, combining SIEM
and endpoint, powered by industry-leading and
validated protections to reduce risk for any user.
Elastic Security
- 12. 12
Threat Detection Approaches
Network Analysis Network Forensics
Payload Analysis Payload Forensics
Endpoint Analysis Endpoint Forensics
Log-based
Security Analytics
TIME-TO-DETECT
Real-time or Near-real-time Post-compromise (Days or Weeks)
- 15. 15
Volume pricing
not viable
# 3 Elastic Edge
• Licensing model that puts
the customer in control
• Flexibility to balance data
retention, performance, and
cost objectives
• Price points that don’t limit
decision-making
- 16. 16
Beyond SIEM
Extended SecOps functions beyond SIEM
Existing SIEM hitting limits
MSSP
Data store and search engine for security events
Service providers offer managed SIEM solution
SIEM Alternative Centralized log collection and security analysis
No existing SIEM
Custom Security Application
Platform for special security projects/apps
In-house app dev team creates app
OEM Solution
Data store, search engine, and analysis platform
Security vendor companies build an end-user product
Many Security Analytics Use Cases
- 18. 18
Behaviors
Threats
Triage
SIEM Detection
Telemetry
Inventory & Vulnerability Management
Act
Track
Hunt
Act
Track
Hunt
Behaviors
Threats
Triage
SIEM Detection
Telemetry
Inventory & Vulnerability Management
Adapted from: https://github.com/swannman/ircapabilities by mswann@microsoft.com | @MSwannMSFT | linkedin.com/in/swannman | Used under Creative Commons Attribution 4.0 International
Elastic SIEM as
Threat Hunting
Platform
- 20. 20
Kibana
Visualize your Elasticsearch data
and navigate the Elastic Stack
Elasticsearch
A distributed, RESTful search
and analytics engine
Elastic SIEM
A SIEM for Elastic Stack users everywhere
Elastic SIEM app
Elastic Common
Schema (ECS)
Network & host
data integrations
Security
content by
Elastic &
community
Beats Logstash
Elastic
Endpoint
- 21. 2121
Elastic SIEM
Same data. Different questions.
Ingest & prepare
Ecosystem of network and host data connectors
Elastic Common Schema (ECS)
Analytics
Machine learning and alerting
Ad hoc queries at scale
Graph analytics
Detect, hunt, investigate
Automated attack detection
Interactive threat hunting
Rapid event triage and investigation
- 22. 22
Auditbeat
● System module (Linux, macOS, Win.): packages,
processes, logins, sockets, users and groups
● Auditd module (Linux Kernel Audit info)
● File integrity monitoring (Linux, macOS, Win.)
Filebeat
● System logs (auth logs) (Linux)
● Santa (macOS)
Winlogbeat
● Windows event logs
● Sysmon
Curated integrations
Host
data
- 23. 23
Packetbeat
● Flows
● DNS
● Other protocols
Filebeat
● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS
● NetFlow, CEF
● Firewall modules: Cisco ASA, FTD, Palo Alto
Networks, Ubiquiti IPTables
● Kubernetes modules: CoreDNS, Envoy proxy
● Google VPC flow logs, PubSub Input
Curated integrations
Network
data
- 25. Elastic Common Schema (ECS)
Normalize data to streamline analysis
Defines a common set of fields and
objects to ingest data into
Elasticsearch
Enables cross-source analysis of
diverse data
Designed to be extensible
ECS is in GA and is being adopted
throughout the Elastic Stack
Contributions & feedback welcome
at https://github.com/elastic/ecs
- 26. 26
SIEM App Overview
Curated workflows for
the SOC team
Manage security events
• Visualize and analyze security events
Perform initial triage
• Investigate security events, alerts, and alarms
• Annotate investigations and create incidents
• Handoff incidents to third-party
case/incident/orchestration (SOAR) system
View SOC security posture
• Visualize overall event, alarm, investigation,
incident status and history
- 27. 27
SIEM App Timeline
Event Explorer
Analyst-friendly qualification
and investigation workflows
● Time ordered events
● Drag and drop filtering
● Multi-index search
● Annotations, comments
● Formatted event views
● Persistent storage
- 28. 28
Integrated
ML Detection
Trigger jobs and view
results in the SIEM app
● Enable and control pre-built
and custom ML jobs
● View results in Hosts and
Network views
● Links to ML app within Kibana
- 29. 29
SIEM + Maps
Geo-based analysis with
Elastic Maps
● Shows source and destination
geo location of network data
● Interactive — responds to
filters and allows setting filters
● Further plans for SIEM + Maps
- 30. 30 These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic.
Elastic SIEM
Ecosystem
Security orchestration,
automation, response
Security incident
response
General ticket & case
management
● Host sources
● Network sources
● Cloud platforms &
applications
● User activity sources
● SIEMs & centralized
security data stores
Community
Consulting
Education & training
Solutions Integrators,
Value-added Resellers,
MSPs & MSSPs
Internal context
External context
- 32. 3434
Logstash
Elastic Endpoint Security
As simple as antivirus, but way more powerful
Prevents malware and
ransomware before
damage and loss
AI-powered endpoint
detection and response
Built for today’s hybrid
cloud environments
Security starts at the endpoint
- 33. 3535
Attacks have evolved
Of companies experienced 1+
attacks that compromised
data or IT infrastructure54%
Of those attacks utilized
exploits or fileless techniques
77%
Cyber criminals have broadened their reach to bypass simple
security mechanisms and use bespoke software to target your organization.
Rise of nation state
hacking groups
Malware now works to
stay hidden
Automated and “Malware-as-a-Service” tools
have made file-based detection obsolete
- 35. 3838
Act
Remediate, validate, and
learn from the threat
Decide
Collaborate, scope, and
build the response plan
Orient
Detect, analyze, and
visualize the attack
Observe
Collect, store, and search
all your data
SecOps
OODA Loop
- 37. 40
Prevent
Block threats as early as
possible
In-line, autonomous prevention
Blocks ransomware, phishing, exploits, and
malware, with capabilities proven by
rigorous third party testing.
No cloud-analysis required.
Protections mapped to the MITRE
ATT&CK matrix
It’s not just about the payload. Prevent
adversarial behavior before damage and
loss.
Completely customized controls
Create your own protection policy and easily
apply it at scale
- 38. 41
Collect
Store, and search all
your security data
Zero-trust policy
Kernel-level data collection and enrichment
for adversary tamper resistance
Elastic Common Schema
Open-source specification for uniform data
modeling
Instant access to all data sources
Security, operations, and more data sources
in one product without limitations
Elasticsearch at the core
The heart of the Stack; search across all
your data in an instant
- 39. 42
Detect
Investigate at scale,
determine the scope
Simple Alert Triage
Assign and manage alerts with a simple
workflow.
Automatic attack visualization
ResolverTM
view for scoping the attack and
root cause analysis, enriched to accelerate
and elevate users
Global detections with customized
machine-learning
Pre-loaded, one-click machine-learning
analysis across all your data
- 40. 43
Respond
Remediate, eliminate,
validate
One-click containment
Quickly isolate endpoints to prevent further
adversary activity
Real-time, automated response
Autonomous, mIllisecond response actions
for detections deeper in the attack lifecycle
Detect once, prevent many
Easily convert detections to preventions
Fits into your existing workflow
OOTB integrations to fit into your existing
business processes