c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx
cemybone
41 views
29 slides
Jul 24, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
fadfasdfasdfasdf
Slide Content
c0c0n | Elastic Detect Hunt and MITRE Haran Kumar | Security Specialist Aravind Putrevu | Developer Advocate 17 September 2020
What's In for Today ?? Hands on Experience with Elastic stack Individual access to Elastic stack Full feature sets Hunt the artifacts with Elastic Security Real world attack scenario Threat hunting to find suspicious artifacts Quick tour on new Elastic security 7.9 updates New Elastic Endpoint More SIEM and Analyst workflow updates
Haran Kumar Sr. Solutions Architect & EMEA Security Specialist Aravind Putrevu Sr. Solutions Architect Solutions Architect - Security Specialist www.linkedin.com/in/harankumar Developer Advocate at Elastic www.linkedin.com/in/aravindputrevu
Environment URL: https://ela.st/c0c0n-sec-workshop Token: 3JHS Note : Lab is accessible till 18 September 9 PM IST Link to Labs: Colab - https://ela.st/security-workshop-labs Github - https://ela.st/lab-github
ABSTRACT The workshop will be based on a real-world attack scenario such as advanced persistent threats (APT) and hunting malicious artefacts efficiently. We will be using a threat hunting platform like Elastic including SIEM and machine learning in efficiently finding known unknown and unknown unknowns. We will also utilize the MITRE ATT&CK framework throughout the exercise. LAB 0: Familiarising yourself with the Lab Setup LAB 1: Analyse and Visualise with real time monitoring. LAB 2: Overview of Elastic SIEM LAB 3: Hunt the artifacts with MITRE TTPs. LAB 4: Using the Detection Engine LAB 5: Using Cases for collaborative incident response
Elastic at a glance
SaaS Orchestration / Automation Elastic Cloud on Kubernetes Elastic Cloud Elastic Cloud Enterprise Elastic Enterprise Search Elastic Security Elastic Observability Kibana Elasticsearch Beats Logstash Elastic Technology Powered by the Elastic Stack 3 solutions Deployed anywher e
Elastic Stack as Central Platform ela.st/security-data-source
These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic. Security orchestration, automation, response Security incident response General ticket & case management Host sources Network sources Cloud platforms & applications User activity sources SIEMs & centralized security data stores Community Consulting Education & training Solutions Integrators, Value-added Resellers, MSPs & MSSPs Internal context External context Elastic Ecosystem Scale your security program with the Elastic Community —Logging Made Easy—
Elastic Security
Unified protection for everyone Elastic Security arms analysts to pre vent, detect, and respond to threats — and it’s free and open, available to analysts everywhere Elastic Security
Prevention, Detection, and Response for unified Protection Elastic Security Security content from Elastic and community Visualize your Elasticsearch data and navigate the Elastic Stack A distributed, RESTful search and analytics engine Kibana Elasticsearch Security Out-of-the-box solution for security analysts everywhere Logstash Beats Endpoint
Detect Respond Collect Prevent Elastic Security Instant automated response Customized controls One-click containment Detect once, prevent many Block in real-time: Ransomware Phishing Exploits and malware Reflex custom preventions Simple alert triage Incident visualization ATT&CK alignment Global ML detections Customized detections Zero Trust data policy Elastic Common Schema Integrate any data source ElasticSearch at the core Sec Ops Teams Endpoint + SIEM ‹#›
Elastic Common Schema (ECS) How data is normalized inside Elastic Defines a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs Searching without ECS s rc: 10.42.42.42 OR client_ip: 10.42.42.42 OR apache2.access.remote_ip: 10.42.42.42 OR context.user.ip: 10.42.42.42 OR src_ip: 10.42.42.42 Searching with ECS source.ip : 10.42.42.42
What to look for? ATT&CK is a MITRE-developed, globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work. as expected. https://attack.mitre.org/wiki/Introduction_and_Overview
Machine Learning for Known Unknowns Correlation for Known Knowns Threat Hunting for Unknown Unknowns
Elastic SIEM
Detect ,Hunt and MITRE
Combining Two Detection Strategies!
Elastic Endpoint Security
Endpoint Integration Massively Boosts Value Prevention IT is about data, computing, and networks. Prevention starts with Elastic Endpoint, blocking adversary attacks. Detection When prevention is not enough, detection is critical. Detection starts on the endpoint and gains enterprise context in Elastic SIEM. Response Detection is made actionable with response. Tight integration between Elastic Endpoint and SIEM speeds remediation. Elastic Security Solution - Integrated Endpoint Security and SIEM Elastic Endpoint Collects, Detects, Prevents - Elastic SIEM Detects with Enterprise Context, Responds Together they Provide Optimal Protection against Cyber Threats Elastic Endpoint Machine Learning, Automation, MITRE ATT&CK Elastic SIEM Machine Learning, Automation, MITRE ATT&CK
Elastic Endpoint Elastic Endpoint Security utilizes a Client (Sensor) & Server (Management Console) architecture. The Sensor provides real-time behavioral protection blocking 99% + of attacks including: File based malware file less attacks Exploits credential manipulation Ransomware Enrichment and Event Tracing Sensor collects & enriches runtime data for deep and hardened visibility into endpoint activity which allows for historical search for both Alert and Telemetry data. Response and Remediation Provides automated contextualization of attacks in an interactive visualization in a simple and powerful interface to your endpoint data and powerful remediation actions that includes: Host Isolation Process Termination Live Thread Suspension Remote Execution Collection and Removal.
Today’s Setup
Winlogbeat Packet beat Windows Server 2019 - Amazon Base AMI + Sysmon Module enriched with: Thank you to Olaf Hartong for the Sysmon Configuration! Elastic Cloud
Let’s Dive In
Phishing email
M alware content
https://training.elastic.co/learn-from-home
https://ela.st/slack #siem #endpoint-security
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 41
- Slides 29
- Age 496 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views