A “beat” of security Monica Sarbu and Tudor Golubenco 

About us Monica Sarbu Software engineer and Beats team lead Tudor Golubenco Software engineer and Beats tech lead 

No content

Beats are lightweight shippers that collect and ship all kinds of operational data to Elasticsearch 

The Beats 5 30+ other community Beats shipping 

Elastic Stack Kibana Elasticsearch Beats Logstash 

Logging and Monitoring 

Security 

http://www.campussafetymagazine.com/article/friday_humor_6_major_security_fails 

• NSA breaks in your network • Zero-day vulnerabilities • Heartbleed, Cloudbleed, Shellshock, etc. • Out of date software with known vulnerabilities • Weak passwords. Default passwords • Commit by mistake your AWS credentials in GitHub Security breaches 10 

• You never find out • You find out from the press • You find out from the attackers who request a ransom • You find out from the AWS bill • You find out yourself, but after the harm was done • You find out yourself, but you are not sure what the harm was • You find out yourself, no harm was done, and you can prove it How do you find out? 11 

Logging and Monitoring (for security) 

Data Sources 

auth logs • SSH logins (password or publickey, IP, GeoIP) • failed sudo attempts • useradd / groupadd 

Windows logons • logon failure events from the Security event log 

auditd • watch file accesses • new network connections • new processes 

Running processes • find suspicious commands 

Network connections • outbound connections initiated by a process • processes in listening mode 

Demo