Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open Source Security Toolsets

Elastic Co
February 18, 2018

Open Source Security Toolsets

RockNSM, VulnWhisperer, HELK and CAPESstack are next generation, open source security toolsets built on top of the Elastic Stack.

Kevin Keeney, Cyber Security Advocate at Elastic, gives us an overview of each of these tools and the different functionalities they provide.

Elastic Co

February 18, 2018
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. • Lightweight • Secure from foundation up • As close

    to production sensor as possible • Repeatable • Available at home Needs
  2. Network conn dhcp dns ftp http kerberos … Log Normalization

    Files files pe x509 Detection intel notice notice_alarm signatures traceroute Observations known_certs known_devices known_hosts known_modbus known_services software Diagnostics capture_loss reporter stats
  3. Fieldname Normalization "ssl": { "cipher": "TLS_RSA_WITH_AES_128_GCM_SHA256", "established": true, "id_resp_p": 443,


    … }
 
 "files": { "timedout": false, "local_orig": false, "rx_hosts": [ "192.168.100.103" ],
 ...
 } "conn": { "resp_pkts": 0, "id_orig_p": 5353, "local_resp": false, "uid": "Ci6Mji4NGqQu538N2a", "orig_asn": 0, …
 } "dns": {
 "query": "android.local", "answers": [ "android.local", "192.168.100.111" ], },
  4. Log Normalization - Example "@timestamp": "2017-04-26T00:19:16.900Z",
 "@meta": { "resp_host": "17.167.193.45",

    "proc": "enp0s31f6-4", "system": "sensor001-001", "event_type": "network", "stream": "ssl", "related_ids": [ "C6Gg0g1AXxTpLWzYka", "FCGlHcUbM98WHNDY7", "F3h8Ss1sPOTtapGGSa", "FnNRub2EJTB48nuqmc" ], "orig_host": "192.168.100.103", "resp_port": "443", "id": "C6Gg0g1AXxTpLWzYka", "orig_port": "49172" } • Log category • Connection-level metadata • Specific log type • ID of this specific event • All related IDs in this log entry 1 1 3 5 2 3 2 2 2 4 4 2 5
  5. 15

  6. 27 Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity

    Cyber Warfare Operator @ USAF (MDANG) Security Consultant @ HA Security Solutions
  7. 28 VulnWhisperer • Currently supports: Nessus & Qualys Web Applications

    • Written in Python • Custom Risk Scores • Asset Tagging • Intended to create actionable data for defenders and metrics for managers (Track risk over time) https://github.com/austin-taylor/VulnWhisperer
  8. 29 The Need – Pre Incident • Identify Critical Assets

    • Know thyself • Where do I Hunt
  9. 30 The Need – Post Incident • What type of

    assets by geo / dept. have similar hosts • How many machines of each • Where should we prioritize remediation efforts
  10. 31 VulWhisperer - Full Logical Processing Pipeline • Normalize, filter

    and enrich Scan Logs • FileBeat: Sends the plaintext files • JSON structured log documents • Prebuilt Dashboards
  11. Why? Had a great hunt platform (RockNSM) No IR platform

    No intelligence pipeline capabilities No way to communicate over distance No (real) documentation
  12. requirements Open source (obviously) Self hosted OS/platform agnostic API extensibility

    • Secure OS • Operator launch point • IR tracking & management • Documentation • Observation enrichment • Communication over distance • Real-time collaboration
  13. ES-Hadoop Security Analytics Architecture
 Web Proxies EDR / EPP IDS

    /IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP
  14. Thank You • Web : www.elastic.co • Products : https://www.elastic.co/products

    • Forums : https://discuss.elastic.co/ • Community : https://www.elastic.co/community/meetups • Twitter : @elastic