Elastic Date: 01/March/2018 A Security Analytics Platform for Today Kevin Keeney, Cybersecurity Advocate, Samir Bennacer, Senior Solutions Architect

2 Attacks are inevitable

Data Collection For effective security analysis

• Collect all parts of the puzzle • Normalize for aggregation and correlation across sources • Enrich to extend attributes available for analysis • Index for immediate recall Foundation for Effective Security Analysis Collect Normalize Enrich Index

Data Sources Domain Data Sources Timing Tools Network PCAP, Bro, NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Collect Normalize Enrich Index

Data Sources Domain Data Sources Timing Tools Network PCAP, Bro, NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Collect Normalize Enrich Index

Data Sources Domain Data Sources Timing Tools Network PCAP, Bro, NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Collect Normalize Enrich Index

Data Sources Domain Data Sources Timing Tools Network PCAP, Bro, NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Host System State, Signature Alert Real-time, Asynchronous Auditbeats, Filebeats ( Osquery module),Winlogbeats Collect Normalize Enrich Index

Data Sources Domain Data Sources Timing Tools Network PCAP, Bro, NetFlow Real time, Packet-based Packetbeats, Logstash ( netflow module) Application Logs Real-time, Event-based Filebeats, Logstash Cloud Logs, API Real-time, Event-based Beats, Logstash Host System State, Signature Alert Real-time, Asynchronous Auditbeats, Filebeats ( Osquery module),Winlogbeats Active Scanning User-driven, Asynchronous Vulnerability scanners Collect Normalize Enrich Index

Event Agent Device Network Source Destination Service Threat GeoIp User Network Protocols… Various Services… Group 1 (Must be populated) Group 2 (Must be populated to the max extent practical where event message contains relevant fields.) Host Group 3 (should include Group 2 prefix and may include Group 3 prefix(es) in field names. Any Group 3 prefixes must not conflict with any defined ECS field name.) @timestamp ecs_version message File Error Elastic Common Schema Collect Normalize Enrich Index

Logstash Inputs Beats … … JDBC … … TCP UDP HTTP Filters Extract Fields Geo Enrich Lookup Enrich DNS Lookups Pattern Matching ArcSight Codec … Network / Security Data Syslog Servers Infra / App Data IoT / Sensors Persistent Disk Based Queues Normalization and Enrichment Beats Outputs Elasticsearch … … … … … Kafka RabbitMQ RDBMS Centralized Configuration Management Elasticsearch Collect Normalize Enrich Index

Threat intelligence Geo IP Information Other Information • Reputation information • IOCs • Vulnerability Data • TTPs • Physical Location • Country, State … • Postal Code • Geo Fence • Network Model • User information • Org Chart • DNS resolution Data Enrichment Collect Normalize Enrich Index

A common use case is looking up ips from a spam/bot feed: filter {
 memcached {
 hosts => ["127.0.0.1:11211"]
 get => {
 "%{ip}" => "threat_src"
 }
 }
 } Recommend to read the blog https://www.elastic.co/blog/elasticsearch-data-enrichment-with-logstash-a-few-security-examples Example: Botip Lookup

Alert Based detection Event Correlation

●Event correlation ●Cross-source Correlation ●Tiered Correlation ●Chained Correlation Alert Based detection

Event correlation Logstash Elasticsearch X-pack X-pack Alerting Zoom

Detecting Anomalies using ML

What is Normal? When something behaves like itself Monday Tuesday Wednesday Thursday When something behaves like its peers

high memory alerts -- server 1 -- server 2 -- server 3 Host Behavior • Free disk space lower than average • Unusual log entries Network Behavior • Unusual connections between hosts • Higher than average data transfer Application Behavior • Service response time abnormally high • Dropped connections exceed normal When abnormal matters

20 Understand Seasonality Reduce False Positives Avoid Manual Review and Revision The advantages of anomaly-driven alerting Identify Areas of Focus

Getting Started – Machine Learning Recipes

Threat Hunting

Humans are more important than Hardware.

Cyber is a human versus human conflict -dcode

Know Thy Enemy Strategic Who & Why Tactical How & What

Know Thy Self BlindSpots Culture Most Valuable Data Critical Systems

Intelligence Operations

What are you looking for? Hypothesis Investigation New Patterns and IOA IOCs Inform and Enrich Different data sets Identify the patterns Feed the IOCs back create new alerts to improve the speed of the detection Operations Intelligence Intelligence

29 Pulling it all together… Understand who is your Adversary? 
 What is their Motivation ? What is the Impacts Of a successful attack? What are they targeting?

Speed is king

People are our most precious resource

www.elastic.co

Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nd/4.0/ Creative Commons and the double C in a circle are registered trademarks of Creative Commons in the United States and other countries. Third party marks and brands are the property of their respective holders. 33 Please attribute Elastic with a link to elastic.co