Security Analytics with OpenSearch
- 5. 35% $$$
Number of attacks
still grows every
year, even
minimizing the
attack surface.
Hacker groups
operate
decentralized, but
become more
organised as ever.
Data becomes
more lucrative
than gold.
High costs are
involved (to
recover).
For most
companies zero
trust is still a shift
in paradigm.
Facts that still require our concerns
Facts origin from NCSC and KPN
- 6. DevSecOps: A Modern Approach to Security
https://www.pexels.com/photo/man-reclining-and-looking-at-his-laptop-5483064/
- 8. Kubernetes Security & Hardening
What’s next
https://www.cisecurity.org/benchmark/kubernetes
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/n
sa-cisa-release-kubernetes-hardening-guidance/
- 9. Open
Standards at
the core
- Knowledge base of adversary tactics and
techniques
- Practical rule formatting
- Standard log schema ( ECS, OCSF)
https://github.com/SigmaHQ/sigma
https://attack.mitre.org/
- 10. SIEM capabilities Detect, Investigate and Respond to security
threats before they harm your Business
Modern SIEM should have threat hunting and machine learning are included !!
Source
ingestion Centralized
platform
Alerting
Aggregate
Correlate
Threat
detection
Detect
Signals
- 11. ● Distributed search and analytics engine
● Enhanced security
● Powerful dashboards
● OpenTelemetry support
● Anomaly detection
● Analyst notebooks
Based on ELK stack
● Reporting
● Log Analytics
● Alerting
to the rescue
https://opensearch.org/
- 12. Detect and respond to security threats in real time
OpenSearch: Out-of-the-box Security Analytics
https://opensearch.org/
- 13. Detect and respond to security threats in real time
Security Analytics: Key features
Open-source detection rules 2,200+ prepackaged rules for your security event
log sources.
Unified interface Access user-friendly security threat detection,
investigation, and reporting tools.
Automated alerts Create alerts on matched detection rules so that
incident response teams are notified in real time.
Correlation engine Configure correlation rules to automatically link
security findings and investigate them using a
visual knowledge graph.
Customizable tools Use any custom log source and define your own
rules to detect potential threats.
https://opensearch.org/
- 14. Detect and respond to security threats in real time
Security Analytics: Flow and components
https://aws.amazon.com/blogs/big-data/identify-and-remediate-security-threats-to-your-business-using-security-analytics-with-amazon-opensearch-service/
- 15. Detect and respond to security threats in real time
Security Analytics: Ingest sources
Works, but requires normalization to a
standard schema like ECS or OCSF
Works well including ECS mapping,
important to use the OSS packages and
connect through Logstash-oss for awful
license checks.
Well documented solution packages by
Amazon, downside it’s focussed on AWS
- 16. Now it’s time to get hands-on :)
Demo time
Other components
are shown during
the demo
Take a seat and
enjoy the
test-drive