Identifier les menaces avec Elastic SIEM

A presentation at Meetup Big Data and Machine Learning Lille in February 2020 in Lille, France by David Pilato

Slide 1

Slide 1

Identifier les menaces avec Elastic SIEM David Pilato @dadoonet

Slide 2

Slide 2

Les incidents de sécurité ont 3 niveaux FYI, WTF et OMG

Slide 3

Slide 3

Découvrir une faille par la presse ou les utilisateurs

Slide 4

Slide 4

Découvrir une faille par les Pirates demandant une rançon

Slide 5

Slide 5

Découvrir une faille par votre facture Cloud

Slide 6

Slide 6

Découvrir une faille par vous-même après les faits

Slide 7

Slide 7

Découvrir une faille par vous-même et pouvoir prouver qu’il n’y a pas eu de dégats

Slide 8

Slide 8

uditd https://github.com/linux-audit

Slide 9

Slide 9

Demo

Slide 10

Slide 10

Slide 11

Slide 11

Problem How to centralize?

Slide 12

Slide 12

Developer | Evangelist !

Slide 13

Slide 13

Slide 14

Slide 14

Filebeat Module: Auditd

Slide 15

Slide 15

Demo

Slide 16

Slide 16

Auditbeat

Slide 17

Slide 17

Demo

Slide 18

Slide 18

System Module host, process, package, socket, login, user

Slide 19

Slide 19

Demo

Slide 20

Slide 20

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

Slide 21

Slide 21

Demo

Slide 22

Slide 22

Slide 23

Slide 23

Elastic Common Schema https://github.com/elastic/ecs

Slide 24

Slide 24

—- name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The base field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: “@timestamp” type: date level: core required: true example: “2016-05-23T08:05:34.853Z” short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

Slide 25

Slide 25

Elastic SIEM Security Information and Event Management

Slide 26

Slide 26

Demo

Slide 27

Slide 27

Slide 28

Slide 28

Code https://github.com/xeraa/ auditbeat-in-action

Slide 29

Slide 29

Identifier les menaces avec Elastic SIEM David Pilato @dadoonet