Building your first SIEM

with the Elastic Stack

Who is this for?

• Security Analysts
• SOC Engineers
• Blue-team beginners
• One-man security teams
• Anyone with an interest in
  SIEM architecture

Overview

• What is a SIEM?
• Designing a SIEM
• Software Overview
• Building a Dashboard
• Getting Alerts
• Expanding your SIEM

What is a SIEM?

• Security Information and Event Manager
• Combination of SEM and SIM
• A tool to help security teams identify and detect threats and vulnerabilities

What is a SIEM not?

• A replacement for security controls
• Just central logging
• A tool to understand your threats and vulnerabilities for you

Terminology

Forwarders, Agents, Sources, Sensors:

• Generate log events to be processed

Enrichment, Normalization, Parsing:

• The process of making log events readable and usable

Collectors, Ingesters, Aggregators:

• Receive log events to be enriched or indexed

Indexers, Storage Nodes, Search Nodes:

• Store events in a way that they can be searched and acted upon

SIEM Examples

Beats

Logstash

Elasticsearch

Kibana

(Agents)

(Enrichment)

(Indexing)

(Visualization)

The Elastic Stack:

Free and Open Source Software 

Zeek

ElastAlert

(Network Monitor)

(Alerting)

Great Additions:

Free and Open Source Software 

Advantages:

• Free and Open Source
• Scales vertically and horizontally
• Backends for many open-source SIEM projects
• Compatible with most proprietary SIEM components
• Easy to expand and add functionality

Disadvantages

• Requires more time and understanding to get started
• Difficult to update
• Free software has limited (read no) enterprise support
• Harder to use than some of the other solutions
• Threat detection definitions are mostly handmade

Elastic-Stack-Based SIEMS

A Holistic SIEM Outline

Network Logger

Workstation

Workstation

Workstation

Storage / DB

Dashboards
Searching
Reporting
 

Zeek

ElastAlert

(Network Monitor)

(Alerting)

Architecture:

Beats

Logstash

Elasticsearch

Kibana

(Agents)

(Indexing)

(Visualization)

Let's Build It!

https://asciinema.org/a/0UfptVlhWSEKyYB68rEH1AIaG

Configure Elastalert

https://asciinema.org/a/I6mL9FsSmCLakXvi7h8WK5NiU

Next Steps:

• Enable Access Control in Elasticsearch
• Implement data retention policies (Index Lifetime Management)
• Understand and enrich your data
• Minimize data blind-spots
• Refine and enhance your alerts
• Shave down false positives

Further Reading

• https://www.elastic.co/guide/en/elasticsearch/reference/current/scalability.html
• https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html
• https://blog.zeek.org/2018/10/renaming-bro-project_11.html
• https://github.com/HASecuritySolutions/Logstash
• https://alexmarquardt.com/2019/06/15/improving-the-performance-of-logstash-persistent-queues/
• https://github.com/elastic/curator
• https://www.elastic.co/blog/endgame-joins-forces-with-elastic

Slides

https://slides.com/cronocide/building-your-first-siem

Documentation

https://www.cronocide.com/post/byfswtes/