Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security @ Slack

Elastic Co
March 09, 2017
Technology
1
24k

Security @ Slack

Monitoring for malicious activity and handling the resulting alerts is vital to the success of a defensive security program. Powerful, centralized logging is available to all of us, but it is only useful if we understand and take action on the data collected.

This talk will discuss tools everyone should consider using to monitor their infrastructure, including Elasticsearch, and the process by which users can create a reliable logging pipeline to handle data from thousands of hosts. Ryan and Nate will demonstrate how to scale these efforts by integrating security into a communication platform that helps users look at more data by delegating event management to the affected individuals directly.

Nate Brown l Developer l Slack
Ryan Huber l Security Developer l Slack

Elastic Co

March 09, 2017
Tweet

More Decks by Elastic Co

See All by Elastic Co
Les Vendredis noirs : même pas peur ! - Breizhcamp
elastic
15
780
Confoo Montreal: Ingest node: enriching documents within Elasticsearch
elastic
16
810
Elastic{ON} 2018 - Sipping from the Firehose: Scalable Endpoint Data for Incident Response
elastic
6
4.2k
Elastic{ON} 2018 - A Security Analytics Platform for Today
elastic
3
11k
Elastic{ON} 2018 - The State of Geo in Elasticsearch
elastic
7
12k
Elastic{ON} 2018 - Reliable by design - Applying formal methods to distributed systems
elastic
5
4.7k
Elastic{ON} 2018 - Bigger, Faster, Stronger - Leveling Up Enterprise Logging
elastic
1
4.9k
Elastic{ON} 2018: Latest in Logstash
elastic
1
4.5k
Elastic{ON} 2018 - Lessons Learned from Workday's Search Application Journey from POC to Production
elastic
2
2.4k

Other Decks in Technology

See All in Technology
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
3
12k
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
180
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
500
データベース02: データベースの概念
trycycle
0
150
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.9k
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.6k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
On Your Data を超えていく!
hirotomotaguchi
2
660
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
200
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
0
180

Featured

See All Featured
Unsuck your backbone
ammeep
663
57k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Product Roadmaps are Hard
iamctodd
44
9.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
KATA
mclloyd
15
12k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Git: the NoSQL Database
bkeepers
PRO
422
63k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
Web development in the modern age
philhawksworth
202
10k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k

Transcript

  1. Slack 9th March 2017 The Bad Things Happen When You’re

    Not Looking (Security @ Slack) Nate Brown, Senior Staff Security Engineer @nbrownus Ryan Huber, Manager of Security Operations @ryanhuber

  2. About me (ryan)

  3. About me (nate)

  4. Slack

  5. Security Operations team?

  6. Do you Elasticsearch/Splunk?

  7. Breaches

  8. How does a company know when it has been hacked?

  9. The company’s employees notice something strange.

  10. A 3rd party contacts the company because they notice something

    strange (*Krebs)

  11. Hacker(s) contact the company because they want them to notice

    something strange

  12. They Don’t :(

  13. Time

  14. How do they get in?

  15. Superhackers, right?

  16. (NSA)

  17. Exercise: Think like an attacker

  18. Monitoring

  19. kibana

  20. None
  21. None

  22. Elastalert (or x-pack watcher)

  23. None

  24. AlertCenter

  25. None

  26. SecurityBot

  27. Don’t be Netcool

  28. Pipeline

  29. rsyslog + relp

  30. streamstash (or logstash)

  31. elasticsearch (with kopf)

  32. None

  33. 4 Streamstash nodes ~25,000 events per second 28 elasticsearch nodes

    ~25TB of data online

  34. Data Sources

  35. kernel audit

  36. auth logs (ssh, sudo, …)

  37. Webserver (apache, nginx, etc)

  38. Log (almost) all the things! mlogger or logger --size

  39. So about auditd (Ryan’s favorite bit)

  40. auditd

  41. You already have it! (just like SELinux/apparmor)

  42. (picture of logs from auditd)

  43. audisp

  44. So we wrote our own...

  45. go-audit

  46. syscalls

  47. execve

  48. listen

  49. connect

  50. ngrok?

  51. Why not osquery/eBPF?

  52. Finding Badness

  53. Defender’s advantage

  54. The hypothetical malicious insider

  55. Off the shelf rulesets

  56. ZERO DAYS != INVISIBILITY CLOAKS

  57. Verification

  58. Carbon Black, anecdotally

  59. Canaries

  60. None

  61. Red Teaming

  62. What if they got in anyway?

  63. You have lots of forensic data!

  64. You can rent some computers temporarily. Neat.

  65. Security + Operations

  66. Don’t let perfection be the enemy of good.

  67. Try go-audit!

  68. goo.gl/9D32SW @nbrownus @ryanhuber Questions?