A "beat" of security - Codemotion Berlin 2017

A “beat” of security Tudor Golubenco @tudor_g

Tudor Golubenco Software engineer and Tech Lead for Elastic Beats

Elastic Stack Kibana Elasticsearch Beats Logstash

Logging and Monitoring

Security

Tower defence 6 Firewall App security OS user isolation Encryption
Unprotected host discovered Remote shell as unprotected user Remote shell as root

Security Breaches

• Zero-day vulnerabilities • Heartbleed, Cloudbleed, Shellshock, etc. • Out
of date software with known vulnerabilities • Weak passwords. Default passwords • Lost unprotected phone that’s logged into email and Dropbox • Commit by mistake your AWS credentials in GitHub How breaches happen 8

WHY? 9

• You find out from the press • You find
out from the attackers who request a ransom • You find out from the AWS bill • You find out yourself, but after the harm was done • You find out yourself, but you are not sure what the harm was • You find out yourself, no harm was done, and you can prove it How do you find out? 10 bad not so bad

How can you detect a breach as quickly as possible?

Logging and Monitoring

50+ other community Beats shipping The Beats, collecting all sorts
of operational data 13 Filebeat Metricbeat Auditbeat Packetbeat Winlogbeat Heartbeat

15 • Like auditd, but: • correlates related events automatically
• resolves UIDs to user names • publishes natively into Elasticsearch • easier to configure • Gives eBPF powers, but works on older kernels • Can run side by side with auditd Auditbeat - nothing gets past it

• Install Elasticsearch & Kibana (~30m) • Or get a
cloud instance: https://cloud.elastic.co/ (~5m) • Run Filebeat & Metricbeat with the system modules enabled (~15m) • Install Auditbeat with the configuration I demoed: (~15) • https://gist.github.com/tsg/eb7a3beb511b81c083afa905c035f901 • ???? • Profit Homework 16

• More auditd / auditbeat rules: • https://github.com/linux-audit/audit-userspace/tree/master/rules • Setup
alerting for common issues • Elastic Watcher • Watch the “Security @ Slack” talk, by Nate Brown & Ryan Huber • https://www.elastic.co/elasticon/conf/2017/sf/security-at-slack For overachievers 17

• Ship to Elasticsearch, apply analytics and alerts on there
Keep your alerting logic private 18

Q & A @tudor_g

A "beat" of security - Codemotion Berlin 2017

A "beat" of security - Codemotion Berlin 2017

Tudor Golubenco

More Decks by Tudor Golubenco

Other Decks in Technology

Featured

Transcript

A “beat” of security Tudor Golubenco @tudor_g

Tudor Golubenco Software engineer and Tech Lead for Elastic Beats

Elastic Stack Kibana Elasticsearch Beats Logstash

Logging and Monitoring

Security

Tower defence 6 Firewall App security OS user isolation Encryption

Security Breaches

• Zero-day vulnerabilities • Heartbleed, Cloudbleed, Shellshock, etc. • Out

WHY? 9

• You find out from the press • You find

How can you detect a breach as quickly as possible?

Logging and Monitoring

50+ other community Beats shipping The Beats, collecting all sorts

Demo

15 • Like auditd, but: • correlates related events automatically

• Install Elasticsearch & Kibana (~30m) • Or get a

• More auditd / auditbeat rules: • https://github.com/linux-audit/audit-userspace/tree/master/rules • Setup

• Ship to Elasticsearch, apply analytics and alerts on there

Q & A @tudor_g