A SIEM for everyone

Yesterday, just after the Summer holiday season, Elastic hosted a Meetup event again, hosted at the Elastic ‘Amsterdam Keizersgracht’ office.

The topic was about the new ‘exciting’ SIEM feature on top of the Elastic Stack, which was officially launched 25 June 2019. As for most of the attendees this was a great moment to discuss further roadmap details, share experiences and enjoy a slice of pizza & drinks. When I arrived it was already crowded, which shows the popularity of this topic.

In the middle of some great conversations, the Elastic crew announced to mover over to the presentation area. As agreed, since we are here for the presentation which was called ‘Taking security investigations to the next level” everybody picked a spot. The presentation was given by James Spiteri, a Solution Architect from Elastic, experienced in the Cyber Security space. After the introduction, he started the presentation with explaining the basics about the Elastic Stack and the current disconnect between IT Security perception and Security Reality.

After this introduction and some interaction with the audience he started with the history and reasons why it was so obvious to start the SIEM product development. As maybe many of you know, the ELK stack is for years very know as Logging environment to extend search, active dashboard and Threat Hunting capabilities. Some great examples are shown on the SANS Security Summit 2017 (combining ELK stack with the Mitre Att&ck framework) and by myself @Elastic Partner event in 2018. Another great project with template rules is called “Sigma” to easily extend SIEM data collectors like Beats or Logstash. Below the slide that James showed about the Community ecosystem and collaboration / integration with other Security vendors. This really shows the possibilities and the positioning of the Elastic stack.

Due all this actual use cases and leveraging the logging data elastic, Elastic made the decision to help the customer getting started with best practices and out-of-the-box experience with the SIEM product. As product development was started the first focus area was related to “Security Analytics” and core Hunting capabilities.

As he told it all start with the harmonised event model, called “Elastic Common Schema”. Advantages of the model are the easy way of correlation various sources in one model, without ending up with unnecessary duplicate fields. Think about the various ways how the severity level and hostname are shipped. With this schema @Elastic created several modules for Beats to harvest Security or System related information, in particulier Auditbeat for Security audit information and Packetbeat for network traffic insights like TLS and DNS data. Unfortunately Packbeat still requires the winpcap or newer npcap driver for Windows per host, but this can be easily be solved by mirroring all network (STP) traffic to one Mirrored SPAN port. Ofcourse Filebeat and Metricbeat bring their value with lots of new modules like your AWS VPC Logs, Cisco devices, Auditd and Zeek(formerly Bro Network Monitoring). At last don’t forget Winlogbeat, which has great integration capabilities with Sysmon. Sysmon is a well-known tool for auditing Windows Security.

Now that we went over all new source collector improvements he showed us the actual Kibana App, called SIEM (beta) which is available from the 7.2 release. This is where all the magic happens. The search UI itself called “Timeline event viewer” aka Timelines) looks as we are used to, but on the background some really nice features are added. Think about just drag and dropping search objects to your query builder and amazing fast search response on nanosecond level to identify and explore possible breaches. After you find a potential breach you can easily add a note for your colleagues. Unfortunately notes are currently stored in the Kibana index and not searchable, but is already marked as an improvement, since the company is all about Search :).

The actual dashboard is build up multiple layers, so you can easily drill down from an overview to a potential threat at network or host level for further investigation. One of the great panels that is the so called “Uncommon processes”, which is using the Significant Terms aggregation. Really helpful when looking for suspicious spawned processes.Significant Terms has the advantage to find the significant change in popularity by a measurement of the current set and a background data. Nice to know is that this is still part of the OSS distribution. Licensed users can easily enable new Machine Learning jobs, for even more ‘early warnings’. These Machine Learning jobs are based on the ECS and require nothing more than one click to enable Anomaly Detection.

At the end he showed us the last updates about using Maps and Heartbeat. Maps is used for easily discover differences using geospatial data. One overview, with multiple sources helps , especially when you are looking for DDoS attacks (peak capacity usage). Again Maps are great for SecOps teams to analyse an intruder / attack location or spot potential high-risk transactions.

Heartbeat will help to report the actual service uptime and even certificate details, like expiration and certificate chain. Really helpful for analysing your web security.

We ended the session with questions and about roadmap details. As you may noticed is that Elastic joint forces with Endgame, which makes it really self-explainable that Endpoint protection and Response with actual case management to triage events are part of the future Stack.

As conclusion with my six years Elastic Stack experience, I can see the potential in this product and really will be a game changer in the way of doing pro-active Security applying then SecOps way of thinking in Cloud-native environments. IT is getting more complex every day and minds is no longer if a breach will happen, but when. This requires a Security-as-default approach, with end-to-end security measures on both application and infrastructure level. Firewalls are still helpful, but Web Application Firewalls (WAF) are really extending the view with additional L7 application protection like the well-know OWASP top 10.

As we know SIEM is just one part and doesn’t solely apply to production systems. That’s why it is important, just like monitoring to apply the right Security matters at every level, triggered from the pipeline through all software lifecycles in an automated matter.

Looking for tools to extend your cloud native security vision? Take a look at the Cloud native landscape, which shows other helpful tools in other Security areas like Container Security with Aqua and Black Duck open source Vulnerability and security scanning.

If you have any questions, don't hesitate to contact me.

See you guys at the next Meetup !!!