Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A "beat" of security - Codemotion Berlin 2017

Tudor Golubenco
October 13, 2017
Technology
1
68

A "beat" of security - Codemotion Berlin 2017

From guessing a weak password to exploiting zero-day vulnerabilities, there are a lot of ways attackers can get into your private network. Even if you follow all the best security practices, there’s a good chance you will face a security incident sooner or later. The questions are: how quickly will you find out? how will you respond? how will you know which systems are compromised? How fast you can find out makes the difference between a catastrophe and a minor incident. This talk will show you what can you do to discover the security breaches as soon as possible, using the Elastic stack and Auditbeat.

Tudor Golubenco

October 13, 2017
Tweet

More Decks by Tudor Golubenco

See All by Tudor Golubenco
Semantic vs keyword search as context for GPT
tsg
0
84
From ELK to Elastic: Modern logging and monitoring
tsg
0
210
Get real-time insights from your application with Packetbeat & Elasticsearch
tsg
0
240
Application performance management with open source tools
tsg
0
190
Application performance management with Packetbeat, Elasticsearch and Kibana
tsg
3
500

Other Decks in Technology

See All in Technology
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.2k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
630
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
110
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
440
強いチームと開発生産性
onk
PRO
35
11k
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Rails Girls Zürich Keynote
gr2m
94
13k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Being A Developer After 40
akosma
87
590k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
The Cult of Friendly URLs
andyhume
78
6k
The Language of Interfaces
destraynor
154
24k

Transcript

  1. A “beat” of security Tudor Golubenco @tudor_g

  2. Tudor Golubenco Software engineer and Tech Lead for Elastic Beats

  3. Elastic Stack Kibana Elasticsearch Beats Logstash

  4. Logging and Monitoring

  5. Security

  6. Tower defence 6 Firewall App security OS user isolation Encryption

    Unprotected host discovered Remote shell as unprotected user Remote shell as root

  7. Security Breaches

  8. • Zero-day vulnerabilities • Heartbleed, Cloudbleed, Shellshock, etc. • Out

    of date software with known vulnerabilities • Weak passwords. Default passwords • Lost unprotected phone that’s logged into email and Dropbox • Commit by mistake your AWS credentials in GitHub How breaches happen 8

  9. WHY? 9

  10. • You find out from the press • You find

    out from the attackers who request a ransom • You find out from the AWS bill • You find out yourself, but after the harm was done • You find out yourself, but you are not sure what the harm was • You find out yourself, no harm was done, and you can prove it How do you find out? 10 bad not so bad

  11. How can you detect a breach as quickly as possible?

  12. Logging and Monitoring

  13. 50+ other community Beats shipping The Beats, collecting all sorts

    of operational data 13 Filebeat Metricbeat Auditbeat Packetbeat Winlogbeat Heartbeat

  14. Demo

  15. 15 • Like auditd, but: • correlates related events automatically

    • resolves UIDs to user names • publishes natively into Elasticsearch • easier to configure • Gives eBPF powers, but works on older kernels • Can run side by side with auditd Auditbeat - nothing gets past it

  16. • Install Elasticsearch & Kibana (~30m) • Or get a

    cloud instance: https://cloud.elastic.co/ (~5m) • Run Filebeat & Metricbeat with the system modules enabled (~15m) • Install Auditbeat with the configuration I demoed: (~15) • https://gist.github.com/tsg/eb7a3beb511b81c083afa905c035f901 • ???? • Profit Homework 16

  17. • More auditd / auditbeat rules: • https://github.com/linux-audit/audit-userspace/tree/master/rules • Setup

    alerting for common issues • Elastic Watcher • Watch the “Security @ Slack” talk, by Nate Brown & Ryan Huber • https://www.elastic.co/elasticon/conf/2017/sf/security-at-slack For overachievers 17

  18. • Ship to Elasticsearch, apply analytics and alerts on there

    Keep your alerting logic private 18

  19. Q & A @tudor_g