Elastic Security under the hood

1
Elastic Security
Under the hood
Tudor Golubenco
Tech lead, Security

2
This presentation and the accompanying oral presentation contain forward-looking statements, including statements
concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future
operations and expected performance. These forward-looking statements are subject to the safe harbor provisions
under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently
available information regarding these matters may not materialize. Actual outcomes and results may differ materially
from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in
circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business
and our customers and partners; our ability to continue to deliver and improve our offerings and successfully
develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and
purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings;
our ability to realize value from investments in the business, including R&D investments; our ability to maintain and
expand our user and customer base; our international expansion strategy; our ability to successfully execute our
go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer
retention and expansion; and general market, political, economic and business conditions.
Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in
our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for
the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any
subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s
website at ir.elastic.co and the SEC’s website at www.sec.gov.
Any features or functions of services or products referenced in this presentation, or in any presentations, press
releases or public statements, which are not currently available or not currently available as a general availability
release, may not be delivered on time or at all. The development, release, and timing of any features or functionality
described for our products remains at our sole discretion. Customers who purchase our products and services
should make the purchase decisions based upon services and product features and functions that are currently
available.
All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not
currently intend to, update any forward-looking statements or statements relating to features or functions of services
or products, except as required by law.
Forward-Looking Statements

10,000 foot view
As simple as it gets
Agent KibanaElasticsearch

10,000 foot view
As simple as it gets
Collect and normalize
data from hundreds of
integrations
Detections Alerts
Threat hunting
Threat intel
Storage Indexing
Data life-cycle
Agent KibanaElasticsearch

Agent
Scaling out
Every component is horizontally scalable
Agent
KibanaAgent Elasticsearch

Scaling to multiple clusters
Use different clusters for different use-cases or tenants
Elasticsearch Kibana
Cross-ClusterSearch
Using Elastic @
Elastic: InfoSec and
Elastic Security

Metricbeat
Zoom and Enhance: Ingest
One Agent! One Click!
Agent
Filebeat Auditbeat Endpoint
Download
Service

Elasticsearch
Zoom and Enhance: Ingest
Data normalization with ECS
Data normalized as ECS
Agent
The importance of
normalizing your
security data
• Elastic Common Schema (ECS https://github.com/elastic/ecs
• Open source event schema
• Common host, user, source, destination, etc, fields across all
our data sources

Elasticsearch
Kibana
Agent
Zoom and Enhance: Fleet
Configuration management for Agents
enroll
config + API token
Data append only
mapping
templates
One agent, one click, and the
future of data ingest with Elastic

ElasticsearchAgent
Kibana
Zoom and Enhance: Fleet
Configuration management for Agents
download package
Package contents:
● dashboards
● mappings
● detection rules
● Agent config
Elastic
Package
Registry

12
Zoom and enhance:
Detections

Zoom and Enhance: Detections
Detection engine rule types
Advanced
correlations for
threat detection
and more

Alerts (a.k.a Signals)
Detection rule
● wake up every 5m
● run a search
● for each match
.siem-signals-<space-id>-0001
space-id makes Alerts be space
specific for multi-tenancy
Rotated by ILM
alert id rule original
create
alert

Query rule configuration
time
0 5 10 15
rule executions
interval loopback time
• query time = interval + loopback time
• Deduplication removes duplicates
• Using event.ingested makes this less prone to delayed ingestion

Alerts can reference 1, multiple, or zero events
.siem-signals-<space-id>-0001
filebeat-*
event 1
event 2
event 3
event 4
event 5
event 6

Elasticsearch
Distributed tasks with the Alerting framework
Kibana
Kibana
Kibana
List of tasks to
execute
poll for tasks
poll for tasks
poll for tasks
Any Kibana instance can execute the task.
Kibana
Kibana
Kibana

Machine Learning Rules
Machine Learning Job
● Runs on the
Elasticsearch side
● Continuously look for
anomalies in time
series
Detection rule
● wake up every 5m
● check for anomalies
● create Alert for
every anomaly
Machine learning
and the Elastic
Stack: Everywhere
you need it
alert id
alert id
alert id
alert id

19
Mark Shaw
Security Lead at ASB Bank, NZ

Elastic Security under the hood

More Related Content

What's hot

Similar to Elastic Security under the hood

More from Elasticsearch

Recently uploaded

Elastic Security under the hood