Get full visibility and find hidden security issues

1
ElasticON Security
Thorben Jändling - Senior Solutions Architect (EMEA
in the Global Security Specialists Group at Elastic
Get Full Visibility

2
Thorben Jändling
Senior Solutions Architect
in the
Global Security Specialist Group
@ Elastic.co
Career as a Security Engineer for various national CSIRTs
https://www.linkedin.com/in/thorbenj/
thorbenj@elastic.co
eMail
@thorbenj on elasticstack.slack.com

Every person and every asset is
a target

5 1B 5
Data Domains
Practitioners analyze
endpoint, cloud,
network, application,
user, and more!
Events Per Day
Most organizations
average 1 billion
events per day
SOC Analysts
Security Operation
Centers vary in size,
but most have less
than 5 analysts
THE DATA DILEMMA

Solve the dilemma by answering 4 key questions
What data do I need to collect?
1
Now that I have it, how do I manage the data?
3
How do I make it actionable?
4
How do I get that data?
2

9
9
Elastic Solutions built on the Elastic Stack
• App Search
• Site Search
• Workplace Search
Enterprise Search
• Logs
• Metrics
• Service Monitoring
• Application Performance
Observability
• SIEM
• Endpoint Security
Security
Elastic Stack
Kibana
Beats Logstash
Elasticsearch
EPP

Development
Team
Ops: Log
Monitoring
Availability
Response Time
Uptime Tool
Ops: Infra
Monitoring
Web Logs
App Logs
Database Logs
Container Logs
Log Tool
Real User Mon.
Txn Perf Mon.
Dist. Tracing
APM Tool
Ops: Service
Monitoring
Container Metrics
Host Metrics
Database Metics
Network Metrics
Storage Metrics
Metrics Tool
Business KPIs
Business Tool
Business
Team
Typical observability stack

Dev, Ops, Sec and Business Teams
Elastic approach to observability
APM Data Uptime Data
Metrics Data
Log Data Business Data
All your operational data in a single powerful datastore — Elasticsearch
Kibana
Elasticsearch

What data do I need
to collect?
• MITRE ATT&CK™ provides the
data sources required to detect
250 adversary techniques
• There are 50 unique data
sources
• Examples include, “Process
Monitoring”, “DNS Records”,
“Authentication Logs”, and more!

Data Source Integrations
Easily normalise and ingest your data
https://www.elastic.co/integrations

Endpoint Security with Elastic Agent
Unified agent for logs, metrics, security and more
BEFORE five+ agents
on every host
Filebeat for logs
Metricbeat for metrics
Winlogbeat for Windows events
plus sysmon
Heartbeat for uptime
APM agent for app traces
NOW one agent
on every host
Elastic Agent for logs, metrics,
and security; including:
Endpoint Security for EPP
and kernel level event collection
(no sysmon needed)

Elastic Agent
• Centrally manage
all data collection
and endpoint
protection

Elastic Agent
• Single click
integration
of data sources

Elastic Agent
• Customizable
configurations
for complete
control and
configurability.

Elastic Agent
• Endpoint Security
to protect your
endpoints and
collect security
events.

Elastic Security
• A single application
for data analysis
across all data
domains and
sources

Elastic Security
• Flexible storage tiers

Elastic Security
• Configurable data
lifecycle management

Elastic Security
• No penalties
for adding data
sources, endpoints
or ingesting data
Elastic Stack

Elastic Security
• Elastic
Common
Schema

Elastic Common Schema (ECS)
How data is normalized inside Elastic
Deﬁnes a common set of ﬁelds and
objects to ingest data into
Elasticsearch
Enables cross-source analysis of
diverse data
Designed to be extensible
ECS is adopted throughout the
Elastic Stack
Contributions & feedback welcome
at https://github.com/elastic/ecs
Searching without ECS
src:10.42.42.42
OR client_ip:10.42.42.42
OR apache2.access.remote_ip:
10.42.42.42
OR context.user.ip:10.42.42.42
OR src_ip:10.42.42.42
Searching with ECS
source.ip:10.42.42.42

Threat Hunting
• Proactively Search
for threats

Threat Hunting
• Customisable
timeline templates
to empower even
the most junior
analysts.

Threat Hunting
• Document your
investigation with
integrated case
management

Automated
Detection
• Speed and scale
of Elasticsearch to
detect known and
unknown threats

Automated
Detection
• Easily automate
threat detection
using
Search Queries,
Machine Learning,
Thresholds,
EQL Correlation and
(threat) Indicator
Matching!

Automated
Detection
• 450 built-in
detections;
built in the open
by our Protections
team together with
our community

Threat Prevention
• Kernel Level data
collection enables
deep visibility

Threat Prevention
• Protect your
Windows, macOS,
and Linux hosts.

Threat Prevention
• Prevent malware
without signatures
using modern ML
technologies &
behaviour analytics

Data Dilemma Solved by Elastic Security
Common framework for data collection
1
Configurable data management with an open standard for
analysis
3
Actionable Data - Threat Hunting, Automated Detection, Threat
Prevention
4
Single agent for data collection and endpoint protection
2

Try free on Cloud:
ela.st/security-trial
Take a quick spin:
demo.elastic.co
Connect on Slack:
ela.st/slack
Join the Elastic Security community

Thank You
Search. Observe. Protect.
Safe Harbor Statement
This presentation includes forward-looking statements that are subject to
risks and uncertainties. Actual results may differ materially as a result of
various risk factors included in the reports on the Forms 10K, 10Q, and
8K, and in other filings we make with the SEC from time to time. Elastic
undertakes no obligation to update any of these forward-looking
statements.

Thank You
Search. Observe. Protect.

44
Closing slide
This presentation includes forward-looking
statements that are subject to risks and
uncertainties. Actual results may diﬀer materially
as a result of various risk factors included in the
reports on the Forms 10-K, 10-Q, and 8-K, and in
other ﬁlings we make with the SEC from time to
time. Elastic undertakes no obligation to update
any of these forward-looking statements.

Elastic Security
• A single application for data
analysis across all data domains
and sources
• Configurable data lifecycle
management
• Elastic Common Schema
• No penalties for adding data
sources, endpoints or ingesting
data
• Flexible Storage Tiers

Bullet title (Inter 24 pt)
• Try to keep your use of bullet slides to a minimum
• Be creative and think visually
• If you need to source something copy and paste the text box at the
bottom left onto your page
Subtitle sentence case (Inter 18pt)

Bullet slide title treatment can be up to two lines in
length (Inter bold 24 pt)
• Bullets are sentence case (Inter 18pt)
– Second-line bullets are Inter 14pt
• Third-line bullets are Inter 12pt
• Limit the number of bullets on a slide
• Text highlights are orange, but not underlined
• Try not to go below the recommended font sizes

‒ Second-line bullets are Inter 14pt
‒ Third-line bullets are Inter 12pt

Place a quote from someone
really, really important and it will
shrink to fit this space…
Author Name Here

Author Name Here
Place a quote from someone
really, really important and it will
shrink to fit this space…

Chart Slide With Multiple Colors
Sub-title or chart title here in sentence case

Pie Chart Slide With Multiple Colors
62%
Supporting text
goes here under
the number
62%
Supporting text
goes here under
the number

Pie Chart Slide With Multiple Colors

Transition Slide Title Goes
Here and Can Be a Few
Lines Long
Subtitle goes here in sentence
case

Transition Slide Title
Short and Sweet

1M 1M 1M
HEADER HERE
Supporting text
goes here under
the number
HEADER HERE
Supporting text
goes here under
the number
HEADER HERE
Supporting text
goes here under
the number
Big Number Treatment

1M 1M 1M
HEADER HERE
Supporting text
goes here under
the number
HEADER HERE
Supporting text
goes here under
the number
HEADER HERE
Supporting text
goes here under
the number
Big Number Treatment (Dark Mode)

Table Layout Treatment
Subtitle text placeholder sentence case
HEADER HEADER HEADER HEADER
Information Information Information Information
Option 1

Option 2

Option 3

Option 4

Please use this area
for content, screen
shot, or quote; the
next few slide show
examples

We mine and analyze
4 billion events every
day to detect security
hacks and threats.

73
With organic logging growing 50%
year over year, and monitoring
infrastructure spend at nearly 10%,
one rogue log can ruin the platform.
The checks and balances necessary
to make sure we don’t hit that
roadblock are built with the Elastic
Stack and Beats.
TEXT GOES HERE IN ALL CAPS
Additional text goes here to support the content and can
be a couple lines in length and sits bottom left aligned

74
With organic logging growing 50%
year over year, and monitoring
infrastructure spend at nearly 10%,
one rogue log can ruin the
platform. The checks and balances
necessary to make sure we don’t
hit that roadblock are built with the
Elastic Stack and Beats.
TEXT GOES HERE IN ALL CAPS
Additional text goes here to support the content and can
be a couple lines in length and sits bottom left aligned

”
The Elastic Stack is critical to us. Every day
millions of users and customers worldwide
trust Box to execute mission-critical
business functions.
“

Some text can go here
Some text can go here

You can use
this area for a
text treatment
that supports
your chosen
imagery

Slide Title Here With
a Few Bullets
Subtitle goes here
• Bullet one goes here in
sentence case and no period
• Bullets should be kept short
and sweet; stay focused
• Use bullets to help break up
content that you need to
have on the screen

Slide Title Here With
a Few Bullets
Subtitle goes here
● Bullet one goes here in
sentence case and no
period
● Bullets should be kept short
and sweet; stay focused
● Use bullets to help break up
content that you need to
have on the screen

Slide Title Here
With Key Points
Subtitle goes here
Header Here
Body copy goes here and just increase the
indent level to get to the proper formatting
Header Here
Header Here
Header Here
LOGGING METRICS APM
ADVANCED
SEARCH
SECURITY
ANALYTICS
DATA
SCIENCE
FOUNDATION
SPECIALIZATIONS

Slide Title Here
With Key Points
Subtitle goes here
Header Here
Header Here
Header Here
Header Here

Image Treatment With Caption Layout
How to add your own photos and crop properly…
Your image will populate the
container but you will likely need
to adjust the crop. Double click
on the image to adjust. Use the
blue dots to adjust the size.
Click on the grayed out portion
of the image and drag to the
left or right until you are happy
with the crop.
1 2 3
Right click on the image and go
to replace image. Select a new
image from your machine.

Agenda Slide
Use color to highlight
Enter title for section one here and use sentence case
1
Enter title for section three here and use sentence case
3
Enter title for section four here and use sentence case
4
Enter title for section five here and use sentence case
5
Enter title for section two here and use sentence case
2
Option 1A
NOTE THIS SLIDE IS NOT IN THE LAYOUT OPTIONS.
ALWAYS START A NEW PRESENTATION USING THE
CORPORATE TEMPLATE AND ADD YOUR CONTENT
TO THIS SLIDE.

Bullet slide title treatment can be up to two lines in length (Inter bold 24 pt)
○ Second-line bullets are Inter 14pt
■ Third-line bullets are Inter 12pt
Agenda Slide
1
2
Option 1B
TO THIS SLIDE.
3
4
5

Agenda Slide
1
2
3
4
5
Option 2
TO THIS SLIDE.

Agenda Slide
1
2
3
4
5
Option 3
TO THIS SLIDE.

Agenda Slide
1
2
3
4
5
Option 4
TO THIS SLIDE.

Process Diagram Treatment, 5 Ideas
See style page for more color options
1 2 3 4 5
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number

Process Diagram Treatment, 5 Ideas + Highlight
1 2 3 4 5
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number

Supporting text
goes here under
the number
1 2 3 4
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number

Supporting text
goes here under
the number
1 2 3
Supporting text
goes here under
the number
Supporting text
goes here under
the number

1 2 3 4
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
5
Supporting text
goes here under
the number

Process Diagram Treatment, 5 Ideas + Highlight
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
1 2 3 4 5

1 2 3 4
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number

1 2 3
Supporting text
goes here under
the number
Supporting text
goes here under
the number
Supporting text
goes here under
the number

Title Here Title Here Title Here
• One bullet here
• Two bullet here
• Three bullet here
• One bullet here
• Two bullet here
• One bullet here
• Two bullet here
Box With Bullet Treatment

• One bullet here
• Two bullet here
• One bullet here
• Two bullet here
• One bullet here
• Two bullet here
Box With Bullet Treatment with Color Choice

• One bullet here
• Two bullet here
Title Here
• One bullet here
• Two bullet here
Title Here
• One bullet here
• Two bullet here
Title Here
Box Bullet Treatment

• One bullet here
• Two bullet here
• One bullet here
• Two bullet here
• One bullet here
• Two bullet here
Box Bullet Treatment with Color Scheme

Screenshot Treatment With Browser Window
How to drop in your screen shot…
The browser window is like a
frame so anything you drop
behind it will show through.
Drop in your screen shot, go
to the format menu and crop
it to show only what you
want.
2
Last, be sure to right click on
your screen shot, go to order
and send to back.
3
1

Screenshot Treatment With Title and Browser Window

NOTE USE THIS LAYOUT
FOR PLACING ONE FULL
BLEED SCREENSHOT

Use This Slide for Code, Light Version
Use template colors to highlight
curl –XPUT localhost:9200/
_template/twitter –d ‘
{
“template” : “twitter_*”,
“setting” : {
“number_of_shards” : 4,
“number_of_replicas” : 1
}
}’

Use This Slide for Code, Dark Version
Use template colors to highlight
curl –XPUT localhost:9200/
_template/twitter –d ‘
{
“template” : “twitter_*”,
“setting” : {
“number_of_shards” : 4,
“number_of_replicas” : 1
}
}’

Color Palette
254
197
20
47
67
145
250
115
79
240
78
152
151
156
171
67
71
83
0
119
204
0
191
179
PRIMARY

Styles and Treatments
SHAPES
LOGOS
Please use logos according
to brand guidelines. These
logos can be sized up and
down without losing quality.
Please press shift before
sizing to keep proper
proportions.
Various template colors can
be used for shapes. Shapes
should have a 3pt line stroke.

Video or Large Image Treatment
Sub header goes here

3 solutions
Elastic Enterprise Search Elastic Security
Elastic Observability

Elastic Enterprise Search
Workplace Search App Search Site Search

Logs Metrics APM Uptime

Endpoint SIEM
Elastic Security

3 solutions powered by 1 stack
Kibana
Elasticsearch
Beats Logstash
Elastic Stack

The Elastic Stack
Reliably and securely take data from
any source, in any format, then search,
analyze, and visualize it in real time.

Deploy anywhere.
SaaS Orchestration
Elastic Cloud
on Kubernetes
Elastic Cloud Elastic Cloud
Enterprise
Kibana
Elasticsearch
Beats Logstash
Powered by
the stack
3 solutions
Deployed
anywhere

Deploy anywhere.
SaaS Orchestration
Elastic Cloud Elastic Cloud on
Kubernetes
Elastic Cloud
Enterprise

Subscription Options
ELASTIC CLOUD
FREE PAID
Open Source
Features
Free Proprietary
Features
Paid Proprietary Features
+
Elastic Support
PAID
OPEN SOURCE BASIC GOLD PLATINUM ENTERPRISE
SELFMANAGED
SaaS

Resource-based Pricing
Endpoint Security
No endpoint-based pricing
SIEM
No seat/ingest-based pricing
APM
No agent-based pricing
Metrics
No host-based pricing
Logs
No ingest-based pricing
App Search
No docs-based pricing
Site Search
No query-based pricing
Workplace Search
No user-based pricing

31 Solution Logos
ENTERPRISE
SEARCH
OBSERVABILITY SECURITY
Elastic Logo + Tagline
FULL COLOR
REVERSE

Product Logos
ELASTIC CLOUD
ON KUBERNETES
ECK
KIBANA LOGSTASH
ELASTICSEARCH
BEATS ELASTIC CLOUD
ELASTIC
CLOUD
ENTERPRISE

Product Logos
APM
APP SEARCH
WORKPLACE
SEARCH
METRICS SIEM
LOGS
SITE SEARCH ENDPOINT

Iconography Usage
Product Feature Icons
Do not use these icons for
anything other than what
they are created for.
Product Feature Icons are created
to correlate with a specific feature
within the product and are not
flexible in use. Please see labels as
a guide.
Generic Icons
These icons are made to fit across
multiple concepts within reason.
See labels as a general guide.
Please use discretion.
Training Icons
Do not use these icons for
anything other than what
they are created for.
Training Icons are created to
correlate with a specific feature
within the training relm and are not
flexible in use. Please see labels as
a guide.

Feature Icons
winlogbeat heartbeat packetbeat metricbeat functionbeat filebeat auditbeat index patterns Index
management
Life cycle
management
create single job create advanced
job
create multi
metric job
create population
job
machine
learning
advanced
settings
apm sql visualize dashboards
canvas upgrade assistant management security analytics add data search
profiler
users and
roles
saved objects reporting security settings
grok debugger language clients infra console discover dev tools watcher rollups cross cluster
replication
data visualizer
metrics monitoring notebook logging spaces logstash pipeline gis application timelion graph --

Training Icons
apm metrics Security analytics logging
specialization
Engineering 1 Engineering 2 certification Advanced search Data science
subscription on-demand Instructor led
stack

Generic Icons
training support subscription
customers
structured schema schemaless rapid query
execution
sql No sql Horizontal scale
flexible data
model
downloads custom consulting community community
members
Sophisticated query
language
node idea chart
news user reliable extensible upgrade IoT plugin scale real-time high-five
location distributed visibility plan E commerce family vacation presentation education guide book
benefits certificate video contribution target Health monitor overlap conversation speaker government

Generic Icons
To do Source code Color outside
of the lines
blog Send
message
docs mobile browser Love
letter
connection

Generic Icons
training support subscription
customers
structured schema schemaless rapid query
execution
sql No sql Horizontal scale
flexible data
model
downloads custom consulting community community
members
Sophisticated query
language
node idea Light bulb
news user reliable extensible upgrade IoT plugin scale real-time high-five
location distributed visibility plan E commerce family vacation presentation education guide book
benefits certificate video contribution target Health monitor overlap conversation speaker government

Get full visibility and find hidden security issues

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Get full visibility and find hidden security issues

Similar to Get full visibility and find hidden security issues (20)

More from Elasticsearch

More from Elasticsearch (20)

Recently uploaded

Recently uploaded (20)

Get full visibility and find hidden security issues