Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A "beat" of security, with the Elastic Stack

Monica Sarbu
April 12, 2017
Technology
0
510

A "beat" of security, with the Elastic Stack

From guessing a weak password to exploiting zero-day vulnerabilities, there are a lot of ways attackers can get into your private networks. So even if you follow all the best security practices, there’s a good chance you will face a security incident sooner or later. The questions are: how quickly will you find out? how will you respond? how will you know which systems are compromised? In this talk, we’ll show you how to use the Elastic Stack, and in particular Beats, to detect security breaches.

Monica Sarbu

April 12, 2017
Tweet

More Decks by Monica Sarbu

See All by Monica Sarbu
Improve your work culture with diverse teams
monicasarbu
0
64
You Don't Look Like an Engineer
monicasarbu
1
970
Monitoring Kubernetes at Scale
monicasarbu
1
350
You don't look like an Engineer
monicasarbu
1
240
You Don't Look Like an Engineer
monicasarbu
0
140
Collecting the right data to monitor your infrastructure
monicasarbu
0
69
Monitor your containers with the Elastic Stack
monicasarbu
0
470
Monitor your infrastructure with the Elastic Beats
monicasarbu
0
330
Monitor your containers with the Elastic Stack
monicasarbu
0
290

Other Decks in Technology

See All in Technology
TransitGatewayの基礎
toru_kubota
0
230
Data and AI Governance: Existing Challenges and Emerging Trends
scotthsieh825
0
170
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
110
ChatGPT for IT Service Management (IT Pro)
dahatake
5
360
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
3
100
SREとその組織類型
tatsuo48
8
1.5k
オブザーバビリティの Primary Signals
onk
PRO
0
560
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
10
2.2k
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
550
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
230
エンタープライズ環境下での Active Directory の運用 TIPS
tamaiyutaro
1
1.6k

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
39k
The Power of CSS Pseudo Elements
geoffreycrofte
59
5k
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
Making Projects Easy
brettharned
108
5.5k
Code Reviewing Like a Champion
maltzj
513
39k
We Have a Design System, Now What?
morganepeng
42
6.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
13
1.5k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
Become a Pro
speakerdeck
PRO
10
4.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
29
46k
Making the Leap to Tech Lead
cromwellryan
123
8.5k

Transcript

  1. A “beat” of security Monica Sarbu and Tudor Golubenco

  2. About us Monica Sarbu Software engineer and Beats team lead

    Tudor Golubenco Software engineer and Beats tech lead
  3. None

  4. Beats are lightweight shippers that collect and ship all kinds

    of operational data to Elasticsearch

  5. The Beats 5 30+ other community Beats shipping

  6. Elastic Stack Kibana Elasticsearch Beats Logstash

  7. Logging and Monitoring

  8. Security

  9. http://www.campussafetymagazine.com/article/friday_humor_6_major_security_fails

  10. • NSA breaks in your network • Zero-day vulnerabilities •

    Heartbleed, Cloudbleed, Shellshock, etc. • Out of date software with known vulnerabilities • Weak passwords. Default passwords • Commit by mistake your AWS credentials in GitHub Security breaches 10

  11. • You never find out • You find out from

    the press • You find out from the attackers who request a ransom • You find out from the AWS bill • You find out yourself, but after the harm was done • You find out yourself, but you are not sure what the harm was • You find out yourself, no harm was done, and you can prove it How do you find out? 11

  12. Logging and Monitoring (for security)

  13. Data Sources

  14. auth logs • SSH logins (password or publickey, IP, GeoIP)

    • failed sudo attempts • useradd / groupadd

  15. Windows logons • logon failure events from the Security event

    log

  16. auditd • watch file accesses • new network connections •

    new processes

  17. Running processes • find suspicious commands

  18. Network connections • outbound connections initiated by a process •

    processes in listening mode

  19. Demo