Descubre cómo eDreams utiliza Elastic Stack para obtener información sobre los usuarios, y cómo está implementando Elastic SIEM y el aprendizaje automático para agilizar la supervisión de la seguridad.

1. 1
Josep Mangas
Head of IT & Security, eDreams
Feb 18, 2020
eDreams - Powering
Security Monitoring with the
Elastic Stack

2. If you know the enemy and know
yourself you need not fear the
results of a hundred battles
Sun Tzu - The Art of War

3. 3
Knowing eDreams ODIGEO

4. 4
Early lessons learned
• Security trends to focus on knowing the “enemy”, but you need to know
yourself first.
• In an e-commerce, the most important thing is trust and ease of use while
buying.
• The biggest threat is that something could affect the customer experience
and he/she doesn’t buy

5. 5
Have we done our homework?
• In the case of eDreams:
• How are customers interacting with our e-commerce platform?
• How do they buy?
• What is a “normal” customer behaviour?
• Which are the main endpoints?
• Where are the critical APIs?
• How are the different flows?
• In order to protect our site, we need to know what to protect.
• And it is not about TECHNOLOGY! It is about covering the BASICS!

6. 6
Looking for the right tripmate
• What tool do we use that help us to “discover” our site and could be flexible
enough for short-term needs and long-term needs?
• Elastic was already used by the DevOps team, so it was an easy choice
• Open and flexible
• Unify logging environments
• Rapid deployment and ROI
• Can add value in other fields (compliance, fraud)
• Widespread knowledge
• Interesting roadmap
• Fits into the Agile mindset

7. 7
Elastic as a solution that fits well,
• Log integration in three different environments.
• E-commerce Site on Prem
• E-commerce Site cloud base (GCP)
• Corporate IT (the usual suspects)
• Log identification (user behaviour, payment flow, ids, vpn, saml, SaaS, AD …)
• Wazuh - Compliance (PCI-DSS)
• MISP integration
• Dashboards ready to use within minutes
• Hep to better know ourselves
• Hypothesis checker
• Self made index and pre-processing
1st Phase, Gathering

8. 8
• Active monitoring of
relevant assets.
• TimeLion, Alert, SIEM,
Geolocation, ASN
• Dashboards everywhere
business, technical and
non-technical
• Support processes
with other areas
• Discover correlations
• Free the information
• SIEM… maturing
• Alarm
• Slack
• Testing ML
• Integration with rest of
the teams
• Moving to Cloud
• Cross nodes queries
• More and more alerts
• More and more business
cases
• Adding new Elastic Stack
functionalities
Maturing & Improving
Visibility
Automating & Integrating Centralizing and new
functionalities
Elastic as a solution that fits well,

9. 9
Some Figures
• 3 Clusters (15 nodes)
• 2 x 6 nodes ( 3 Master + Data , 3 Data)
• 3 nodes ( 3 Master + Data)
• ~250 GB x day and 25 M Documents
• V 7.4. And Wazuh 3.10
• ~ 60 Dashboards
• 3 ML jobs
• Cross-Clusters Query
• Integration with MISP and GeoIP
Looking forward … to a unique bigger cluster (GCP)

10. 10
Automation, the next frontier
• Identify business case / need
• Do we have the source?
• How is it shown at Elastic level?
• What are the normal / abnormal thresholds?
• Set up Alert, Integrate with Slack, Define Playbook, Escalate to team owner

11. 11
Machine Learning, discovering the unknown
• Identify business case / need
• When need to find the hidden (WIP)
• Again, you know yourself and your customers.
• You expecting things go one known way.
• ML can help you to detect things that divert from the Happy Path.

12. 12
Late Lessons Learnt
• Identify business case / need
• Use ECS from the beginning.
• Minimize pre-parsing
• Invest in others people’s time.
• It will speed up your deployment
• Have in mind what you’re looking for
• That helps to identify relevant sources of information.
• Check Hypothesis.
• Share the insights you create
• The info can be helpful for other teams.
• Test new capabilities of the Elastic stack.
• And challenge the old ones.

13. Q&A, by the (fake) futbolin