Elastic Security, leveraging the expertise of the makers of Elasticsearch coupled with the subject matter experts of the security domain, brings enterprise-grade SIEM and response to all users. With Elastic Security and the Elastic Agent, users can search, see, and stop threats, adding the critical “act” step in the OODA loop cycle. Learn how to take control of your environment and see what Elastic Security has in store next.
Scanning the Internet for External Cloud Exposures via SSL Certs
Elastic Security: Your one-stop OODA loop shop
1. 2
Elastic Security - Your
one-stop OODA Loop shop
Mike Nichols
Product Lead, Security
2. OODA Loop
● A set of interacting and
repeating loops
● Developed by Colonel
John Boyd
● “Agility can overcome
raw power in dealing
with human opponents”
Act
Decide Orient
Observe
3. Observe and Orient
● SIEMs allowed central
collection of information
to empower analysts to
Orient
● Challenged to operate in
“analyst time”, fast
enough to react to the
attack
Act
Decide Intelligence
and Analytics
SIEM
4. Decide
● SIEMs became alert silos
● Security Analytics,
UEBA, and other
detection technologies
helped pull signals from
the noise
Act
Security
Analytics
Intelligence
and Analytics
SIEM
5. Act
● SIEMs are passive
● To respond to threats
users integrated into
response products like
SOAR
● The evolution of EDR to
XDR promises to bring
host remediation into
the same workflow
Response
Integration
Security
Analytics
Intelligence
and Analytics
SIEM
6. Loop Again
● Context gathering and
decision-making need to
be operationalized
● Lessons learned need to
be fed back into the
next loop
● Threat intelligence, rule
editing and exception,
and case management
helped this process
7. 200
MITRE
Techniques
Every event is relevant to
security when attackers
masquerade as insiders
The State of Security — It’s a data problem
People Process Technology
3.5M
Unfilled
Analyst Jobs
Unfilled security analyst
positions by 2021
yx
Exponential Data
Growth (and silos)
Sources of data are
increasing massively yet still
segregated into silos (e.g.,
cloud infra and apps)
8. Users need a single
place to close the
loops from any data
source…
We need to destroy
the silos
Act
Decide Orient
Observe
11. Observe Orient and Decide Act
Data Sources
P/I/SaaS
User
Network Activity
Endpoint
Server
Wire & Flow Data
Code Repository
Connected Devices
& Physical Security
Collection and
Prevention
Elastic Agent Detect, Search, Analyze, and Investigate — Fast and at Scale
SOAR
SIRP
ITSM
Custom
Reporting
Lens + Canvas
Response
Elastic Agent
The Foundation of Modern Security, Observability, and more
Normalization
12. 50% of MITRE
techniques require
endpoint data visibility
$20B cost of damage
of ransomware in 2021
Elastic Agent (included)
A new use case is a click away
Centrally manage your Agents in Fleet
Scale and manage your fleet of Agents from a
simple UI
Hundreds of OOTB integrations
From security to observability, one click
integration into your ecosystem:
https://www.elastic.co/integrations
Business-class prevention included
Proven, signatureless malware prevention
provided for free; layered behavioral
ransomware to stop tomorrow’s attacks
14. OBSERVE with continuous
(everything) monitoring
Elastic Agent is included
Why choose between SIEM, XDR, security analytics...
Collect AND analyze all your data, over all time
Don’t just store, operationalize
Built for tomorrow’s network
Bring your search to the data
16. ORIENT with Intelligence
and Analytics
Destroy data silos
All data in one place for simple pivots and full context
Drag and drop visuals and investigations
Easily assess relevance & entity relations
Intelligence over all time
Enrich alerts & events with threat landscape context
and applicability to internal operations
17. DECIDE (and prevent) to
minimize impact
Cross OS Malware Prevention
Windows, macOS, and Linux malware prevention
included
Stop tomorrow’s ransomware
Behavior based file system protection and MBR security
Hundreds of OOTB protections mapped MITRE
Built to find the unknown, focused on behaviors and
machine learning anomalies
https://car.mitre.org/coverage/
19. ACT with hunting and
incident response
Attack Storyboard
Analyst-optimized, context aware workspace to pivot
across all data in real-time
Included case collaboration
Work with team members and integrate into SOAR,
SIRP, and ITSM tools
Built-in containment with Agent
First party response actions to stop attacks before
damage and loss
22. Observe Orient and Decide Act
Data Sources
P/I/SaaS
User
Network Activity
Endpoint
Server
Wire & Flow Data
Code Repository
Connected Devices
& Physical Security
Collection and
Prevention
Elastic Agent Detect, Search, Analyze, and Investigate — Fast and at Scale
SOAR
SIRP
ITSM
Custom
Reporting
Lens + Canvas
Response
Elastic Agent
The Foundation of Modern Security, Observability, and more
Normalization
23. 24
Try free on Cloud
ela.st/security-trial
Take a quick spin
demo.elastic.co
Connect on Slack
ela.st/slack
Join the Elastic Security community