SlideShare a Scribd company logo

Security Analytics with OpenSearch

A
Arnold Van Wijnbergen

Securing platforms like Kubernetes can be challenging. Luckily there are tools to create insights into potential security threats. Get an introduction into the world of Security Information Event Monitoring (SIEM) and how to make OpenSearch your favorite solution for Security Analytics. You get familiar with the technology and concepts behind this powerful platform. Talk includes hands-on demo to get a grasp of provided functionality.

Related slideshows

The Elastic ELK Stack
The Elastic ELK StackThe Elastic ELK Stack
The Elastic ELK Stack
 
ELK Stack
ELK StackELK Stack
ELK Stack
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
 
1 of 17
SIEM with OpenSearch Kubernetes Security and more 19 Oktober 2023 Version 1.0
Supporter of: Lives nearby Amsterdam Started with floppies
Why is Cybersecurity so important ? https://www.pexels.com/photo/red-hands-dark-costume-1097460/
Some examples …. https://wsb-solutions.nl/beveiliging-mobiele-apparaten-medewerkers/ https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
35% $$$ Number of attacks still grows every year, even minimizing the attack surface. Hacker groups operate decentralized, but become more organised as ever. Data becomes more lucrative than gold. High costs are involved (to recover). For most companies zero trust is still a shift in paradigm. Facts that still require our concerns Facts origin from NCSC and KPN
DevSecOps: A Modern Approach to Security https://www.pexels.com/photo/man-reclining-and-looking-at-his-laptop-5483064/
Cyber Security: Shared Responsibility https://www.darkreading.com/physical-security/a-guide-to-the-nist-cybersecurity-framework
Kubernetes Security & Hardening What’s next https://www.cisecurity.org/benchmark/kubernetes https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/n sa-cisa-release-kubernetes-hardening-guidance/
Open Standards at the core - Knowledge base of adversary tactics and techniques - Practical rule formatting - Standard log schema ( ECS, OCSF) https://github.com/SigmaHQ/sigma https://attack.mitre.org/
SIEM capabilities Detect, Investigate and Respond to security threats before they harm your Business Modern SIEM should have threat hunting and machine learning are included !! Source ingestion Centralized platform Alerting Aggregate Correlate Threat detection Detect Signals
● Distributed search and analytics engine ● Enhanced security ● Powerful dashboards ● OpenTelemetry support ● Anomaly detection ● Analyst notebooks Based on ELK stack ● Reporting ● Log Analytics ● Alerting to the rescue https://opensearch.org/
Detect and respond to security threats in real time OpenSearch: Out-of-the-box Security Analytics https://opensearch.org/
Detect and respond to security threats in real time Security Analytics: Key features Open-source detection rules 2,200+ prepackaged rules for your security event log sources. Unified interface Access user-friendly security threat detection, investigation, and reporting tools. Automated alerts Create alerts on matched detection rules so that incident response teams are notified in real time. Correlation engine Configure correlation rules to automatically link security findings and investigate them using a visual knowledge graph. Customizable tools Use any custom log source and define your own rules to detect potential threats. https://opensearch.org/
Detect and respond to security threats in real time Security Analytics: Flow and components https://aws.amazon.com/blogs/big-data/identify-and-remediate-security-threats-to-your-business-using-security-analytics-with-amazon-opensearch-service/
Detect and respond to security threats in real time Security Analytics: Ingest sources Works, but requires normalization to a standard schema like ECS or OCSF Works well including ECS mapping, important to use the OSS packages and connect through Logstash-oss for awful license checks. Well documented solution packages by Amazon, downside it’s focussed on AWS
Now it’s time to get hands-on :) Demo time Other components are shown during the demo Take a seat and enjoy the test-drive
Any questions? Now it’s time to get answers !!! Questions ?

More Related Content

Security Analytics with OpenSearch

  • 1. SIEM with OpenSearch Kubernetes Security and more 19 Oktober 2023 Version 1.0
  • 3. Why is Cybersecurity so important ? https://www.pexels.com/photo/red-hands-dark-costume-1097460/
  • 5. 35% $$$ Number of attacks still grows every year, even minimizing the attack surface. Hacker groups operate decentralized, but become more organised as ever. Data becomes more lucrative than gold. High costs are involved (to recover). For most companies zero trust is still a shift in paradigm. Facts that still require our concerns Facts origin from NCSC and KPN
  • 6. DevSecOps: A Modern Approach to Security https://www.pexels.com/photo/man-reclining-and-looking-at-his-laptop-5483064/
  • 8. Kubernetes Security & Hardening What’s next https://www.cisecurity.org/benchmark/kubernetes https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/n sa-cisa-release-kubernetes-hardening-guidance/
  • 9. Open Standards at the core - Knowledge base of adversary tactics and techniques - Practical rule formatting - Standard log schema ( ECS, OCSF) https://github.com/SigmaHQ/sigma https://attack.mitre.org/
  • 10. SIEM capabilities Detect, Investigate and Respond to security threats before they harm your Business Modern SIEM should have threat hunting and machine learning are included !! Source ingestion Centralized platform Alerting Aggregate Correlate Threat detection Detect Signals
  • 11. ● Distributed search and analytics engine ● Enhanced security ● Powerful dashboards ● OpenTelemetry support ● Anomaly detection ● Analyst notebooks Based on ELK stack ● Reporting ● Log Analytics ● Alerting to the rescue https://opensearch.org/
  • 12. Detect and respond to security threats in real time OpenSearch: Out-of-the-box Security Analytics https://opensearch.org/
  • 13. Detect and respond to security threats in real time Security Analytics: Key features Open-source detection rules 2,200+ prepackaged rules for your security event log sources. Unified interface Access user-friendly security threat detection, investigation, and reporting tools. Automated alerts Create alerts on matched detection rules so that incident response teams are notified in real time. Correlation engine Configure correlation rules to automatically link security findings and investigate them using a visual knowledge graph. Customizable tools Use any custom log source and define your own rules to detect potential threats. https://opensearch.org/
  • 14. Detect and respond to security threats in real time Security Analytics: Flow and components https://aws.amazon.com/blogs/big-data/identify-and-remediate-security-threats-to-your-business-using-security-analytics-with-amazon-opensearch-service/
  • 15. Detect and respond to security threats in real time Security Analytics: Ingest sources Works, but requires normalization to a standard schema like ECS or OCSF Works well including ECS mapping, important to use the OSS packages and connect through Logstash-oss for awful license checks. Well documented solution packages by Amazon, downside it’s focussed on AWS
  • 16. Now it’s time to get hands-on :) Demo time Other components are shown during the demo Take a seat and enjoy the test-drive
  • 17. Any questions? Now it’s time to get answers !!! Questions ?