Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Strengthen your SIEM: Using Logstash to Connect ArcSight to the Elastic Stack

Elastic Co
March 08, 2017

Strengthen your SIEM: Using Logstash to Connect ArcSight to the Elastic Stack

As many of our users know, the Elastic Stack helps provide real-time insights into your data at massive scale.

With the release of Logstash 5.1, you can easily connect any device that supports the CEF data format as a codec to the Elastic Stack via files, kafka or syslog. This session will provide a step-by-step guide of how to extend and complement your existing ArcSight deployment with the Elastic Stack. Topics covered will include how to ingest CEF logs to the Elastic Stack using Logstash, visualising dashboards in Kibana, proactively monitoring security data in Elasticsearch using X-Pack alerting features and applying machine learning to identify potential suspicious signatures.

Samir Bennacer l Support Engineer l Elastic
Nicholas Lim l Consulting Architect l Elastic

Elastic Co

March 08, 2017
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. Elastic 8 March 2017 Complementing your SIEM: Connecting ArcSight to

    the Elastic Stack Nicholas Lim, Consulting Architect @imNicL Samir Bennacer, Support Engineer @SamirBennacer
  2. Agenda 2 1 Challenges with SIEM Solutions 2 How the

    Elastic Stack can complement your SIEM 3 How to Integrate Arcsight with the Elastic Stack 4 Correlation using X-Pack Alerting and Machine Learning (ML) 5 Demo
  3. • Complexity • Search performance not scalable • Index performance

    not scalable • Pricing model fails to scale economically • Limited data retention • Difficulty with unstructured data • Limited to either real time or historical Challenges with SIEM Solutions: 3 • Nominally maintained (if available) APIs, SDKs • Proprietary storage • Very expensive training • Difficult and requires vendor’s expertise • Limited HA functionality
  4. 4 Scalability Performance Flexibility • Highly distributed & scalable •

    Scale as you need • Resiliency at scale • Performance from the ground up • Queries & Analysis in near real time • Robust REST API and Client API • Deal with all kinds of data How Elastic Stack Complements Your SIEM
  5. 5 Connecting ArcSight to the Elastic Stack Elasticsearch Kibana X-pack

    X-pack ArcSight Connector X-pack Logstash https://www.elastic.co/blog/integrating-elastic-stack-with-arcsight-siem-part-1
  6. 6 Scaling the Architecture Elasticsearch Kibana X-pack X-pack Instances (X)

    Master Nodes (3) Ingest Nodes (X) Data Nodes - Hot (X) Data Nodes - Warm (X) ArcSight Connectors X-pack Nodes (X) Logstash https://www.elastic.co/blog/integrating-elastic-stack-with-arcsight-siem-part-3 Kafka Messaging Queue
  7. Trigger Input Conditions Actions Set Up Watch: Perform Actions Load

    Input into Watch Payload Run Search Query to Get Input Time to execute a watch Conditions Met? Store watch_record in Watcher-History Index YES YES NO NO Watch Execution: X-Pack Alerting https://www.elastic.co/blog/integrating-elasticsearch-with-arcsight-siem-part-2
  8. Automated Anomaly Detection, Anomaly Scoring, Influencer Identification: • Detect Attack

    Behaviors as Anomalies • Significantly reduce false positives alerts • Find the root cause of anomalies faster X-Pack 9 Machine Learning
  9. Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nd/4.0/

    Creative Commons and the double C in a circle are registered trademarks of Creative Commons in the United States and other countries. Third party marks and brands are the property of their respective holders. 13 Please attribute Elastic with a link to elastic.co