Elastic L&L.pdfElastic Search, Observe, Protect Jhon@Elastic.co Principal Solutions Architect 2...

ElasticSearch, Observe, Protect

Jhon@Elastic.co

Principal Solutions Architect

2

/me

Jhon MasscheleinJhon@Elastic.co

Elastic Solution Architect (1y)Microsoft Azure Solution Architect Data&A.I. (3y)Hortonworks Solution Engineer (1,5y)SurfSara HPC DevOps Engineer (4,5y)Silicon Graphics Customer Support Engineer (13y)

Co-Host Roaring Elephant Podcast (4,5y)

3

search

origins

4

Search is a constant/foundation

5

Technology differentiation

SCALE

Distributed

by design

SPEED

Find matches

in milliseconds

RELEVANCE

Get highly

relevant results

6

Enterprise Search

Observability Security

• Site Search

• App Search

• Workplace Search

• Logs & Metrics

• Application Performance

Monitoring (APM)

• Uptime

• SIEM (Threat Hunting)

• EndPoint Security (EPP & EDR)

All running on the same Elastic Stack

3 Solutions – 1 Stack

7

Elasticsearch

Kibana

Elastic Stack

Store, Search, & Analyze

Visualize & Manage

Ingest

SaaS On-Prem

Elastic cloudElastic cloudEnterprise

Elastic cloudOn Kubernetes

Standalone

Elastic Stack

Site

Search

App

Search

Workplace

Search

Logs APM SIEMMetrics Endpoint

Security

Beats Logstash Endpoint

8

Resource-based pricing across solutions

PER

AGENT

$$$$

PER

INGEST

$$$$

PER

QUERY

$$$$

PER

USER

$$$$

PER

ENDPOINT

$$$$

Pay only for the data you use!

9

Alerting – Anomaly Detection

10

Powered by Elasticsearch

Alert on any Elasticsearch query

Distributed execution

Highly available

Notifications

Email, Slack, PagerDuty.

Custom (webhook)

Stack Integrations

Machine learning, Monitoring, and

Reporting

Alert on anything you can query

11

Understand Seasonality

Reduce False Positives

Avoid Manual ThresholdRevision

Identify Areas of Focus

Machine leaning Anomaly-driven alerting

12

When something behaves like itself When something behaves like its peers

Machine leaning Anomaly-driven alerting

Monday

Tuesday

Wednesday

Thursday

13

Unsupervised techniques - no manual training / input needed

Evolves with the data - “online” model learns continuously

Influencer detection - accelerates root cause identification

Machine learning Anomaly detection

1414

Machine leaning Forcasting

15

Elastic Machine Learning Flow

Time Series Data

16

Security

17

Elastic Security

A SIEM for everyone,

from the creators of the Elastic (ELK) Stack

Elastic Endpoint Security,

As simple as antivirus, but way more powerful

Security how it should be: open

18

Elastic Security

Respond CollectDetectPrevent

Zero Trust data policy

Elastic Common Schema

Integrate any datasource

ElasticSearch at the core

Block in real-time:

• Ransomware

• Phishing

• Exploits and Malware

Reflex custom preventions

Instant automated

response

Customized controls

One-click containment

Detect once, prevent many

Simple alert triage

Incident visualization

ATT&CK alignment

Global ML detections

Customized detections

Sec Ops Team

Endpoint + SIEM

19

Elastic SIEM: threat hunting powerhouse

20

SecOps and threat hunting are team sports

21

Elastic SIEM - Establish a Holistic view

Gain visibility into your environment

View data on interactive dashboards and

maps. Perform graph-based relationship

analysis. Search across information of all

kinds. Do it all with the technology fast

enough for the sharpest analysts.

Surface anomalies with machine learning

Explore unknown threats exposed through

machine learning-based anomaly detection.

Equip threat hunters with evidence-based

hypotheses. Find the threats you expected

— and the ones you didn’t.

22

Elastic SIEM – A SIEM for everyone

Automate detection with ATT&CK-

aligned rules

Continuously guard your environment

with correlation rules that detect tools,

tactics, and procedures indicative of

potential threats. Content is aligned with

the MITRE ATT&CK knowledge base and

ready for immediate implementation.

Keep it simple. No more pricing by ingest

No matter how you start or grow with Elastic,

you shouldn’t be constrained by how you get

value from our products. Just pay for the

resources you need, deploy them how you’d

like, and do even more great things with

Elastic.

23

Elastic Security

SIEM Demo

Questions?

25

Security starts at the endpoint

As simple as antivirus, but way more powerful

26

Elastic Security

27

Observe

Collect, store, and search all your data

Zero-trust policyKernel-level data collection and enrichment for

adversary tamper resistance

Autonomous sensorNo external resources are required; works

perfectly in air-gapped environments

Light-weightThe Endpoint sensor (agent) stays in the

background.

28

Orient

Detect, analyze, and visualize the attack

Protections mapped to the MITRE

ATT&CK matrixCoverage across the entire breadth of an

attack for layered defenses proven by rigorous

third party testing

Global detections with customized

machine-learningPre-loaded, one-click machine-learning

analysis across all your data

Automatic attack visualizationResolverTM view for scoping the attack and

root cause analysis, enriched to accelerate and

elevate users

29

Decide

Collaborate, scope, build response plan

Easy alert managementAssign and triage alerts with a simple

workflow

Built-in collaborationComment and communicate on alerts, events,

or investigations

Scoping at the speed of searchRapidly determine the extent of the attack,

looking across all your data for all time

Fits into your existing workflowRich integrations send investigations to fit into

your existing triage process

30

Dashboarding

Direct link to Elastic KibanaThe setup is currently done through a simple

streaming pipeline configuration

Default dashboardOnce configured, a default dashboard will be

installed in Kibana that gives a view into the

data being sent from the Elastic Endpoint

Security to the Elastic Stack.

Endpoint data indexAll endpoint data lands in standard

Elasticsearch indices, available for analyses

using the API and all Elastic apps like Discover

and Maps.

Analyze Endpoint Data in Kibana

31

Elastic Security

Endpoint Protection Demo

Questions?

Jacob JaneSOAR

Restart

Block

IP

Revoke

Credentials

&

Certificates

Found Credentials Using HIBP Phished Credentials Using Fake Website

15:19-------15:20-------15:21-------15:22-------15:23-------15:24-------15:25-------15:26-------15:27-------15:28-------15:29

New

Certificate

Detected

Login from

VacationCredit Cards

Detected

Smoke

Screen

Auditbeat

Low Count

Container

Crashed

Impossible

Travel

Created

Certificate

Elastic SIEM

Threat Hunting

34

Elastic Security

Integrated SIEM Demo

Questions?

https://ela.st/cyber-security-education-webinar