The document discusses the Elastic SIEM, a security information and event management solution designed for users of the Elastic Stack, highlighting its features such as the Elastic Common Schema (ECS) for data normalization and enhanced analysis. It emphasizes integrated tools for threat detection and response, visualization through Kibana, and automated machine learning capabilities for anomaly detection. The presentation also outlines the collaborative ecosystem of partners and the roadmap for future developments in security analytics.

1. Elastic{ON} Tour 2020
Empower security practitioners
with the Elastic Stack

2. 2
Empower your analysts

3. 3
Why Elastic for security analytics?
Speed Scale Relevance

4. 4
Security
Analytics
Customers

5. Elastic Common Schema (ECS)
Normalize data to streamline analysis
• Defines a common set of fields and
objects to ingest data into Elasticsearch
• Enables cross-source analysis of diverse
data
• Designed to be extensible
• ECS is in GA and is being adopted
throughout the Elastic Stack
• Contributions & feedback welcome at
https://github.com/elastic/ecs

6. Introducing
Elastic
SIEM

7. Elastic SIEM
A SIEM for Elastic Stack users everywhere
Elastic SIEM app
Elastic Common
Schema (ECS)
Network & host
data integrations
Kibana
Visualize your Elasticsearch data
and navigate the Elastic Stack
Elasticsearch
A distributed, RESTful search
and analytics engine
Beats
Lightweight data shippers
Logstash
A server-side data
processing pipeline
Elastic &
community
security
content

8. Elastic SIEM app
Triage alerts, or hunt for threats
All at the speed of thought
Analyst-friendly experience for
investigating security alerts
• Time-ordered events
• Drag-and-drop filtering
• Multi-index search
• Annotations, comments
• Formatted event views
• Persistent forensic data storage

9. Packetbeat
" Flows
" DNS
" Other protocols
Filebeat
" IDS/IPS/NMS modules: Zeek NMS, Suricata IDS,
NetFlow
" Security device modules: Cisco ASA, FTD, Palo
Alto Networks, Ubiquiti IPTables, CEF
" Kubernetes modules: CoreDNS, Envoy proxy
" Cloud modules: Google Cloud VPC flow logs,
pubsub
Curated integrations
Network
data

10. Auditbeat
" System module (Linux, macOS, Win.): packages,
processes, logins, (new) sockets, users and groups
" Auditd module (Linux Kernel Audit info)
" File integrity monitoring (Linux, macOS, Win.)
Filebeat
" System logs (auth logs) (Linux)
" Santa (macOS)
Winlogbeat
" Windows event logs
" Sysmon
Curated integrations
Host data

11. Ingest almost anything, from almost anywhere

12. SIEM Automated Detection
Machine learning and alerting
Anomaly detection
• Unsupervised algorithms
• Continuous (online) model
• Single & multiple time series
• Population outliers
• Forecasting
Correlation
• Alert on any Elasticsearch query
• Distributed execution
• Highly available
• Trigger notifications (e.g., email, Slack,
PagerDuty, custom webhook)

13. 13
Elastic SIEM and Anomaly Detection Integrated in 7.3

14. 14
Elastic SIEM and Elastic Maps Integrated in 7.4

15. Even more for security analysts to love

16. 16
Elastic SIEM Bottom-up Vision

17. Community
" Cloud platforms &
applications
" Network sources
" Host sources
" User activity sources
" SIEMs & centralized
security data stores
Security orchestration,
automation, response
Security incident
response
General ticket & case
management
Consulting
Education & training
Internal context
External context
Elastic SIEM Ecosystem
These are just some of our partners and community members. The presence of a vendor logo doesn’t imply a business relationship with Elastic.

18. Elastic Security Analytics Journey
Elastic Confidential Information - Roadmap information provided on this slide is an overview of overall direction and nothing is committed.
Threat Intelligence Integration, User Analysis
SIEM Detection Rules, More Data Sources
Dedicated SIEM App, SOC Workflow
Security Event Collection, Visualization, Dashboards
Elastic Common Schema (ECS)

19. Mike Paquette
Elastic{ON} Tour 2020
Thank You