Elastic{ON} 2018 - A Security Analytics Platform for Today

Transcript

1. Elastic Date: 01/March/2018 A Security Analytics Platform for Today Kevin

   Keeney, Cybersecurity Advocate, Samir Bennacer, Senior Solutions Architect

2. 2 Attacks are inevitable

3. Data Collection For effective security analysis

4. • Collect all parts of the puzzle • Normalize for

   aggregation and correlation across sources • Enrich to extend attributes available for analysis • Index for immediate recall Foundation for Effective Security Analysis Collect Normalize Enrich Index

5. Data Sources Domain Data Sources Timing Tools Network PCAP, Bro,

   NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Collect Normalize Enrich Index

6. Data Sources Domain Data Sources Timing Tools Network PCAP, Bro,

   NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Collect Normalize Enrich Index

7. Data Sources Domain Data Sources Timing Tools Network PCAP, Bro,

   NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Collect Normalize Enrich Index

8. Data Sources Domain Data Sources Timing Tools Network PCAP, Bro,

   NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Host System State, Signature Alert Real-time, Asynchronous Auditbeats, Filebeats ( Osquery module),Winlogbeats Collect Normalize Enrich Index

9. Data Sources Domain Data Sources Timing Tools Network PCAP, Bro,

   NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Host System State, Signature Alert Real-time, Asynchronous Auditbeats, Filebeats ( Osquery module),Winlogbeats Active Scanning User-driven, Asynchronous Vulnerability scanners Collect Normalize Enrich Index

10. Event Agent Device Network Source Destination Service Threat GeoIp User

    Network Protocols… Various Services… Group 1 (Must be populated) Group 2 (Must be populated to the max extent practical where event message contains relevant fields.) Host Group 3 (should include Group 2 prefix and may include Group 3 prefix(es) in field names. Any Group 3 prefixes must not conflict with any defined ECS field name.) @timestamp ecs_version message File Error Elastic Common Schema Collect Normalize Enrich Index

11. Logstash Inputs Beats … … JDBC … … TCP UDP

    HTTP Filters Extract Fields Geo Enrich Lookup Enrich DNS Lookups Pattern Matching ArcSight Codec … Network / Security Data Syslog Servers Infra / App Data IoT / Sensors Persistent Disk Based Queues Normalization and Enrichment Beats Outputs Elasticsearch … … … … … Kafka RabbitMQ RDBMS Centralized Configuration Management Elasticsearch Collect Normalize Enrich Index

12. Threat intelligence Geo IP Information Other Information • Reputation information

    • IOCs • Vulnerability Data • TTPs • Physical Location • Country, State … • Postal Code • Geo Fence • Network Model • User information • Org Chart • DNS resolution Data Enrichment Collect Normalize Enrich Index

13. A common use case is looking up ips from a

    spam/bot feed: filter {
 memcached {
 hosts => ["127.0.0.1:11211"]
 get => {
 "%{ip}" => "threat_src"
 }
 }
 } Recommend to read the blog https://www.elastic.co/blog/elasticsearch-data-enrichment-with-logstash-a-few-security-examples Example: Botip Lookup

14. Alert Based detection Event Correlation

15. •Event correlation •Cross-source Correlation •Tiered Correlation •Chained Correlation Alert Based

    detection

16. Event correlation Logstash Elasticsearch X-pack X-pack Alerting Zoom

17. Detecting Anomalies using ML

18. What is Normal? When something behaves like itself Monday Tuesday

    Wednesday Thursday When something behaves like its peers

19. high memory alerts -- server 1 -- server 2 --

    server 3 Host Behavior • Free disk space lower than average • Unusual log entries Network Behavior • Unusual connections between hosts • Higher than average data transfer Application Behavior • Service response time abnormally high • Dropped connections exceed normal When abnormal matters

20. 20 Understand Seasonality Reduce False Positives Avoid Manual Review and

    Revision The advantages of anomaly-driven alerting Identify Areas of Focus

21. Getting Started – Machine Learning Recipes

22. Threat Hunting

23. Humans are more important than Hardware.

24. Cyber is a human versus human conflict -dcode

25. Know Thy Enemy Strategic Who & Why Tactical How &

    What

26. Know Thy Self BlindSpots Culture Most Valuable Data Critical Systems

27. Intelligence Operations

28. What are you looking for? Hypothesis Investigation New Patterns and

    IOA IOCs Inform and Enrich Different data sets Identify the patterns Feed the IOCs back create new alerts to improve the speed of the detection Operations Intelligence Intelligence

29. 29 Pulling it all together… Understand who is your Adversary?

    
 What is their Motivation ? What is the Impacts Of a successful attack? What are they targeting?

30. Speed is king

31. People are our most precious resource

32. www.elastic.co

33. Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nd/4.0/

    Creative Commons and the double C in a circle are registered trademarks of Creative Commons in the United States and other countries. Third party marks and brands are the property of their respective holders. 33 Please attribute Elastic with a link to elastic.co