Downloaded 252 times
Uploaded byKangaroot
Elastic SIEM (Endpoint Security)
The document outlines the capabilities and offerings of Elastic Security, which combines SIEM and endpoint protection to safeguard organizations from cyber threats. It highlights the growth and evolution of the Elastic Stack, emphasizing features like real-time data processing, threat detection, and customizable security solutions through a zero-trust approach. Additionally, it includes a discussion of the challenges posed by modern attacks and the need for advanced security measures to protect against evolving cyber threats.
In this document
Powered by AI
Introduction to Elastic's SIEM and Endpoint Security with a focus on protecting organizations.
Integrated security functions for detection, prevention, and response against cyber threats.
Various approaches to threat detection including network, payload, and endpoint forensics.Key advantages of Elastic such as scalability, speed, and flexible licensing models.
Expanding SecOps capabilities and alternatives to existing SIEM solutions.
Overview of the capabilities of Elastic SIEM including detection analytics and integrations.
Details on data ingestion methods including various modules for host and network data.
Significance of ECS in normalizing data for enhanced cross-source analysis.
Overview of curated workflows in SIEM for managing security events and investigations.
Integration of machine learning in SIEM for advanced detection and geolocation analysis.
Collaboration aspects within the Elastic SIEM ecosystem for comprehensive security analysis.
Advancements in endpoint security, emphasizing AI-powered detection and the evolution of cyber threats.
The OODA loop model for effective incident response in security operations.
Tailored security capabilities emphasizing prevention, detection, and response measures for cyber threats.
Conclusion and acknowledgment from the presenters at the end of the presentation.
More Related Content
Similar to Elastic SIEM (Endpoint Security)
![c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/c0c0nelasticsecurityworkshop-7-240724022125-1e952d18-thumbnail.jpg?width=640&height=640&fit=bounds)
Elastic SIEM (Endpoint Security)
- 1. 1 Arthur Eyckerman |Solutions Architect @tuurleyck SIEM & Endpoint Security
- 2. 2 Store, Search, & Analyze Visualize& Manage Ingest Elastic Stack SOLUTIONS Elastic Stack Kibana Elasticsearch Beats Logstash SaaS SELF-MANAGED Elastic cloud Elastic cloud Enterprise Standalone
- 3. SIEM app released 2010 Today Elasticsearch0.4 released ECS 1.0 released Elasticsearch 1.0 released Growing use of ELK for threat hunting Security consultancy Perched acquired Endgame acquired Logstash joins forces Kibana joins forces Beats to collect all the data Machine learning firm Prelert acquired Elastic Cloud launched
- 4. 4 Elastic Builds Software ToMake Data Usable In Real Time And At Scale, Powering Solutions Like Search, Logging, Metrics, Security And more.
- 5.
- 6. 6 Vision To protect theworld’s data from attack. Goal Deliver a single security solution, combining SIEM and endpoint, powered by industry-leading and validated protections to reduce risk for any user. Elastic Security
- 7. 7 RespondDetect Elastic Endpoint SecurityElastic SIEM Prevent Optimal protection against cyber threats with integrated Endpoint Security and SIEM Elastic Security
- 8. 8 Why Elastic forsecurity? Speed Scale Relevance
- 9. 9 and security analytics isa search problem Elastic is a search company
- 10.
- 11.
- 12. 12 Threat Detection Approaches NetworkAnalysis Network Forensics Payload Analysis Payload Forensics Endpoint Analysis Endpoint Forensics Log-based Security Analytics TIME-TO-DETECT Real-time or Near-real-time Post-compromise (Days or Weeks)
- 13. 13 Security data exploding # 1Elastic Edge • Scalable from start • Distributed by design • Real time at scale
- 14. 14 New threats every day #2 Elastic Edge • Everything is indexed • Snappy search at scale • Do more with machine learning
- 15. 15 Volume pricing not viable #3 Elastic Edge • Licensing model that puts the customer in control • Flexibility to balance data retention, performance, and cost objectives • Price points that don’t limit decision-making
- 16. 16 Beyond SIEM Extended SecOpsfunctions beyond SIEM Existing SIEM hitting limits MSSP Data store and search engine for security events Service providers offer managed SIEM solution SIEM Alternative Centralized log collection and security analysis No existing SIEM Custom Security Application Platform for special security projects/apps In-house app dev team creates app OEM Solution Data store, search engine, and analysis platform Security vendor companies build an end-user product Many Security Analytics Use Cases
- 17.
- 18. 18 Behaviors Threats Triage SIEM Detection Telemetry Inventory &Vulnerability Management Act Track Hunt Act Track Hunt Behaviors Threats Triage SIEM Detection Telemetry Inventory & Vulnerability Management Adapted from: https://github.com/swannman/ircapabilities by [email protected] | @MSwannMSFT | linkedin.com/in/swannman | Used under Creative Commons Attribution 4.0 International Elastic SIEM as Threat Hunting Platform
- 19.
- 20. 20 Kibana Visualize your Elasticsearchdata and navigate the Elastic Stack Elasticsearch A distributed, RESTful search and analytics engine Elastic SIEM A SIEM for Elastic Stack users everywhere Elastic SIEM app Elastic Common Schema (ECS) Network & host data integrations Security content by Elastic & community Beats Logstash Elastic Endpoint
- 21. 2121 Elastic SIEM Same data.Different questions. Ingest & prepare Ecosystem of network and host data connectors Elastic Common Schema (ECS) Analytics Machine learning and alerting Ad hoc queries at scale Graph analytics Detect, hunt, investigate Automated attack detection Interactive threat hunting Rapid event triage and investigation
- 22. 22 Auditbeat ● System module(Linux, macOS, Win.): packages, processes, logins, sockets, users and groups ● Auditd module (Linux Kernel Audit info) ● File integrity monitoring (Linux, macOS, Win.) Filebeat ● System logs (auth logs) (Linux) ● Santa (macOS) Winlogbeat ● Windows event logs ● Sysmon Curated integrations Host data
- 23. 23 Packetbeat ● Flows ● DNS ●Other protocols Filebeat ● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS ● NetFlow, CEF ● Firewall modules: Cisco ASA, FTD, Palo Alto Networks, Ubiquiti IPTables ● Kubernetes modules: CoreDNS, Envoy proxy ● Google VPC flow logs, PubSub Input Curated integrations Network data
- 24.
- 25. Elastic Common Schema(ECS) Normalize data to streamline analysis Defines a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is in GA and is being adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs
- 26. 26 SIEM App Overview Curatedworkflows for the SOC team Manage security events • Visualize and analyze security events Perform initial triage • Investigate security events, alerts, and alarms • Annotate investigations and create incidents • Handoff incidents to third-party case/incident/orchestration (SOAR) system View SOC security posture • Visualize overall event, alarm, investigation, incident status and history
- 27. 27 SIEM App Timeline EventExplorer Analyst-friendly qualification and investigation workflows ● Time ordered events ● Drag and drop filtering ● Multi-index search ● Annotations, comments ● Formatted event views ● Persistent storage
- 28. 28 Integrated ML Detection Trigger jobsand view results in the SIEM app ● Enable and control pre-built and custom ML jobs ● View results in Hosts and Network views ● Links to ML app within Kibana
- 29. 29 SIEM + Maps Geo-basedanalysis with Elastic Maps ● Shows source and destination geo location of network data ● Interactive — responds to filters and allows setting filters ● Further plans for SIEM + Maps
- 30. 30 These arejust some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic. Elastic SIEM Ecosystem Security orchestration, automation, response Security incident response General ticket & case management ● Host sources ● Network sources ● Cloud platforms & applications ● User activity sources ● SIEMs & centralized security data stores Community Consulting Education & training Solutions Integrators, Value-added Resellers, MSPs & MSSPs Internal context External context
- 31. 32 Even more forsecurity analysts to love
- 32. 3434 Logstash Elastic Endpoint Security Assimple as antivirus, but way more powerful Prevents malware and ransomware before damage and loss AI-powered endpoint detection and response Built for today’s hybrid cloud environments Security starts at the endpoint
- 33. 3535 Attacks have evolved Ofcompanies experienced 1+ attacks that compromised data or IT infrastructure54% Of those attacks utilized exploits or fileless techniques 77% Cyber criminals have broadened their reach to bypass simple security mechanisms and use bespoke software to target your organization. Rise of nation state hacking groups Malware now works to stay hidden Automated and “Malware-as-a-Service” tools have made file-based detection obsolete
- 34. 3636 Not just malware! Notjust files! No single attack technique!
- 35. 3838 Act Remediate, validate, and learnfrom the threat Decide Collaborate, scope, and build the response plan Orient Detect, analyze, and visualize the attack Observe Collect, store, and search all your data SecOps OODA Loop
- 36. 3939 Customizable for your environment Totalattack lookback without limitations Protection without signatures Built for any user Key differentiators of Elastic Security
- 37. 40 Prevent Block threats asearly as possible In-line, autonomous prevention Blocks ransomware, phishing, exploits, and malware, with capabilities proven by rigorous third party testing. No cloud-analysis required. Protections mapped to the MITRE ATT&CK matrix It’s not just about the payload. Prevent adversarial behavior before damage and loss. Completely customized controls Create your own protection policy and easily apply it at scale
- 38. 41 Collect Store, and searchall your security data Zero-trust policy Kernel-level data collection and enrichment for adversary tamper resistance Elastic Common Schema Open-source specification for uniform data modeling Instant access to all data sources Security, operations, and more data sources in one product without limitations Elasticsearch at the core The heart of the Stack; search across all your data in an instant
- 39. 42 Detect Investigate at scale, determinethe scope Simple Alert Triage Assign and manage alerts with a simple workflow. Automatic attack visualization ResolverTM view for scoping the attack and root cause analysis, enriched to accelerate and elevate users Global detections with customized machine-learning Pre-loaded, one-click machine-learning analysis across all your data
- 40. 43 Respond Remediate, eliminate, validate One-click containment Quicklyisolate endpoints to prevent further adversary activity Real-time, automated response Autonomous, mIllisecond response actions for detections deeper in the attack lifecycle Detect once, prevent many Easily convert detections to preventions Fits into your existing workflow OOTB integrations to fit into your existing business processes
- 41.
- 42. 46 .. and talkto us! Mark Paffen & Arthur Eyckerman Thank You