Embed Size (px)
Citation preview
2
/me
Jhon [email protected]
Elastic Solution Architect (1y)Microsoft Azure Solution Architect Data&A.I. (3y)Hortonworks Solution Engineer (1,5y)SurfSara HPC DevOps Engineer (4,5y)Silicon Graphics Customer Support Engineer (13y)
Co-Host Roaring Elephant Podcast (4,5y)
3
search
origins
4
Search is a constant/foundation
5
Technology differentiation
SCALE
Distributed
by design
SPEED
Find matches
in milliseconds
RELEVANCE
Get highly
relevant results
6
Enterprise Search
Observability Security
• Site Search
• App Search
• Workplace Search
• Logs & Metrics
• Application Performance
Monitoring (APM)
• Uptime
• SIEM (Threat Hunting)
• EndPoint Security (EPP & EDR)
All running on the same Elastic Stack
3 Solutions – 1 Stack
7
Elasticsearch
Kibana
Elastic Stack
Store, Search, & Analyze
Visualize & Manage
Ingest
SaaS On-Prem
Elastic cloudElastic cloudEnterprise
Elastic cloudOn Kubernetes
Standalone
Elastic Stack
Site
Search
App
Search
Workplace
Search
Logs APM SIEMMetrics Endpoint
Security
Beats Logstash Endpoint
8
Resource-based pricing across solutions
PER
AGENT
$$$$
PER
INGEST
$$$$
PER
QUERY
$$$$
PER
USER
$$$$
PER
ENDPOINT
$$$$
Pay only for the data you use!
9
Alerting – Anomaly Detection
10
Powered by Elasticsearch
Alert on any Elasticsearch query
Distributed execution
Highly available
Notifications
Email, Slack, PagerDuty.
Custom (webhook)
Stack Integrations
Machine learning, Monitoring, and
Reporting
Alert on anything you can query
11
Understand Seasonality
Reduce False Positives
Avoid Manual ThresholdRevision
Identify Areas of Focus
Machine leaning Anomaly-driven alerting
12
When something behaves like itself When something behaves like its peers
Machine leaning Anomaly-driven alerting
Monday
Tuesday
Wednesday
Thursday
13
Unsupervised techniques - no manual training / input needed
Evolves with the data - “online” model learns continuously
Influencer detection - accelerates root cause identification
Machine learning Anomaly detection
1414
Machine leaning Forcasting
15
Elastic Machine Learning Flow
Time Series Data
16
Security
17
Elastic Security
A SIEM for everyone,
from the creators of the Elastic (ELK) Stack
Elastic Endpoint Security,
As simple as antivirus, but way more powerful
Security how it should be: open
18
Elastic Security
Respond CollectDetectPrevent
Zero Trust data policy
Elastic Common Schema
Integrate any datasource
ElasticSearch at the core
Block in real-time:
• Ransomware
• Phishing
• Exploits and Malware
Reflex custom preventions
Instant automated
response
Customized controls
One-click containment
Detect once, prevent many
Simple alert triage
Incident visualization
ATT&CK alignment
Global ML detections
Customized detections
Sec Ops Team
Endpoint + SIEM
19
Elastic SIEM: threat hunting powerhouse
20
SecOps and threat hunting are team sports
21
Elastic SIEM - Establish a Holistic view
Gain visibility into your environment
View data on interactive dashboards and
maps. Perform graph-based relationship
analysis. Search across information of all
kinds. Do it all with the technology fast
enough for the sharpest analysts.
Surface anomalies with machine learning
Explore unknown threats exposed through
machine learning-based anomaly detection.
Equip threat hunters with evidence-based
hypotheses. Find the threats you expected
— and the ones you didn’t.
22
Elastic SIEM – A SIEM for everyone
Automate detection with ATT&CK-
aligned rules
Continuously guard your environment
with correlation rules that detect tools,
tactics, and procedures indicative of
potential threats. Content is aligned with
the MITRE ATT&CK knowledge base and
ready for immediate implementation.
Keep it simple. No more pricing by ingest
No matter how you start or grow with Elastic,
you shouldn’t be constrained by how you get
value from our products. Just pay for the
resources you need, deploy them how you’d
like, and do even more great things with
Elastic.
23
Elastic Security
SIEM Demo
Questions?
25
Security starts at the endpoint
As simple as antivirus, but way more powerful
26
Elastic Security
27
Observe
Collect, store, and search all your data
Zero-trust policyKernel-level data collection and enrichment for
adversary tamper resistance
Autonomous sensorNo external resources are required; works
perfectly in air-gapped environments
Light-weightThe Endpoint sensor (agent) stays in the
background.
28
Orient
Detect, analyze, and visualize the attack
Protections mapped to the MITRE
ATT&CK matrixCoverage across the entire breadth of an
attack for layered defenses proven by rigorous
third party testing
Global detections with customized
machine-learningPre-loaded, one-click machine-learning
analysis across all your data
Automatic attack visualizationResolverTM view for scoping the attack and
root cause analysis, enriched to accelerate and
elevate users
29
Decide
Collaborate, scope, build response plan
Easy alert managementAssign and triage alerts with a simple
workflow
Built-in collaborationComment and communicate on alerts, events,
or investigations
Scoping at the speed of searchRapidly determine the extent of the attack,
looking across all your data for all time
Fits into your existing workflowRich integrations send investigations to fit into
your existing triage process
30
Dashboarding
Direct link to Elastic KibanaThe setup is currently done through a simple
streaming pipeline configuration
Default dashboardOnce configured, a default dashboard will be
installed in Kibana that gives a view into the
data being sent from the Elastic Endpoint
Security to the Elastic Stack.
Endpoint data indexAll endpoint data lands in standard
Elasticsearch indices, available for analyses
using the API and all Elastic apps like Discover
and Maps.
Analyze Endpoint Data in Kibana
31
Elastic Security
Endpoint Protection Demo
Questions?
Jacob JaneSOAR
Restart
Block
IP
Revoke
Credentials
&
Certificates
Found Credentials Using HIBP Phished Credentials Using Fake Website
15:19-------15:20-------15:21-------15:22-------15:23-------15:24-------15:25-------15:26-------15:27-------15:28-------15:29
New
Certificate
Detected
Login from
VacationCredit Cards
Detected
Smoke
Screen
Auditbeat
Low Count
Container
Crashed
Impossible
Travel
Created
Certificate
Elastic SIEM
Threat Hunting
34
Elastic Security
Integrated SIEM Demo
Questions?
https://ela.st/cyber-security-education-webinar
