Building your first SIEM

with the Elastic Stack

Who is this for?

  • Security Analysts
  • SOC Engineers
  • Blue-team beginners
  • One-man security teams
  • Anyone with an interest in
    SIEM architecture

Overview

  • What is a SIEM?
  • Designing a SIEM
  • Software Overview
  • Building a Dashboard
  • Getting Alerts
  • Expanding your SIEM

What is a SIEM?

  • Security Information and Event Manager
  • Combination of SEM and SIM
  • A tool to help security teams identify and detect threats and vulnerabilities

What is a SIEM not?

  • A replacement for security controls
  • Just central logging
  • A tool to understand your threats and vulnerabilities for you

Terminology

Forwarders, Agents, Sources, Sensors:

  • Generate log events to be processed

Enrichment, Normalization, Parsing:

  • The process of making log events readable and usable

Collectors, Ingesters, Aggregators:

  • Receive log events to be enriched or indexed

Indexers, Storage Nodes, Search Nodes:

  • Store events in a way that they can be searched and acted upon

SIEM Examples

Beats

Logstash

Elasticsearch

Kibana

(Agents)

(Enrichment)

(Indexing)

(Visualization)

The Elastic Stack:

Free and Open Source Software 

Zeek

ElastAlert

(Network Monitor)

(Alerting)

Great Additions:

Free and Open Source Software 

Advantages:

  • Free and Open Source
  • Scales vertically and horizontally
  • Backends for many open-source SIEM projects
  • Compatible with most proprietary SIEM components
  • Easy to expand and add functionality

Disadvantages

  • Requires more time and understanding to get started
  • Difficult to update
  • Free software has limited (read no) enterprise support
  • Harder to use than some of the other solutions
  • Threat detection definitions are mostly handmade

Elastic-Stack-Based SIEMS

A Holistic SIEM Outline

Network Logger

Workstation

Workstation

Workstation

Storage / DB

Dashboards
Searching
Reporting
 

Zeek

ElastAlert

(Network Monitor)

(Alerting)

Architecture:

Beats

Logstash

Elasticsearch

Kibana

(Agents)

(Enrichment)

(Indexing)

(Visualization)

Let's Build It!

https://asciinema.org/a/0UfptVlhWSEKyYB68rEH1AIaG

Configure Elastalert

https://asciinema.org/a/I6mL9FsSmCLakXvi7h8WK5NiU

Next Steps:

  • Enable Access Control in Elasticsearch
  • Implement data retention policies (Index Lifetime Management)
  • Understand and enrich your data
  • Minimize data blind-spots
  • Refine and enhance your alerts
  • Shave down false positives

Further Reading

  • https://www.elastic.co/guide/en/elasticsearch/reference/current/scalability.html
  • https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html
  • https://blog.zeek.org/2018/10/renaming-bro-project_11.html
  • https://github.com/HASecuritySolutions/Logstash
  • https://alexmarquardt.com/2019/06/15/improving-the-performance-of-logstash-persistent-queues/
  • https://github.com/elastic/curator
  • https://www.elastic.co/blog/endgame-joins-forces-with-elastic

Slides

https://slides.com/cronocide/building-your-first-siem

Documentation

https://www.cronocide.com/post/byfswtes/

Made with Slides.com