Professional Documents
Culture Documents
Empower Your Security Practitioners: With Elastic SIEM
Empower Your Security Practitioners: With Elastic SIEM
Empower Your Security Practitioners: With Elastic SIEM
15 OCT 19
Kevin Keeney
Cyber Security Advocate
Introduction
Kevin Keeney
Cyber Security
Advocate
@kevinkeeneyjr
linkedin.com/in/kevinkeeney
Empower your team
3
Elastic Common Schema (ECS)
Normalize data to streamline analysis
● An ever-expanding community of
vendors & experts contributing to ECS
4
Elastic SIEM Internal context
Ecosystem
External context
Community
Consulting
6 These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic.
Commercial
Adoption
Corelight
From the makers of Zeek/Bro
Cloudflare
Where CDN meets security
7
Elastic SIEM (beta)
A SIEM for Elastic Stack users everywhere
8
Response Prevention
Iterative
Detection
9
No Compromises:
10
Introducing
Elastic
SIEM
11
Auditbeat
● System module (Linux, macOS, Win.): packages,
processes, logins, sockets, users and groups
● Auditd module (Linux Kernel Audit info)
Host Filebeat
● System logs (auth logs) (Linux)
data ● Santa (macOS)
Winlogbeat
● Windows event logs
● Sysmon
12
Packetbeat
● Flows
● DNS
● Other protocols
Curated integrations
Network Filebeat
● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS
13
14
15
16
17
18
19
20
21
22
23
24
Automated Detection
Machine Learning jobs for Security Analytics
v.7.3
Three security ML jobs included:
rare_process_by_host_windows_ecs
rare_process_by_host_linux_ecs
suspicious _login_actvity_ecs
25
26
Automated Detection
Machine Learning jobs for Security Analytics
v.7.4
Thirteen more security ML jobs added:
linux-anomalous-network-activity
linux-anomalous-network-port-activity
linux-anomalous-network-service
linux-anomalous-process-all-hosts
linux-anomalous-network-URL-activity
linux-anomalous-user-name
linux-anomalous-path-activity
windows-anomalous-path-activity
windows-anomalous-process-all-hosts
windows-anomalous-process-creation
windows-anomalous-service
windows-anomalous-script
windows-anomalous-network-activity
27
Even more for security analysts to love
28
Elastic SIEM Bottom-up Vision
29 Elastic Confidential Information - Roadmap information provided on this slide is an overview of overall direction and nothing is committed.
Endgame Integration Strengthens Protection
Elastic Endpoint & SIEM
15 OCT 19
Kevin Keeney
Cyber Security Advocate