Identifier les menaces avec Elastic SIEM David Pilato @dadoonet

Les incidents de sécurité ont 3 niveaux FYI, WTF et OMG

Découvrir une faille par la presse ou les utilisateurs

Découvrir une faille par les Pirates demandant une rançon

Découvrir une faille par votre facture Cloud

Découvrir une faille par vous-même après les faits

Découvrir une faille par vous-même et pouvoir prouver qu’il n’y a pas eu de dégats

uditd https://github.com/linux-audit

“auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities.”

Pour monitorer Accès fichier et réseau Appels système Commandes lancées par un utilisateur Evènements de sécurité

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Demo

Problem How to centralize?

Developer | Evangelist

Filebeat Module: Auditd

Demo

Auditbeat

Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration

Auditd Module eBPF powers on older kernels Easier configuration Written in Golang

Demo

! !”

https://cloud.elastic.co

System Module Simpler syntax for host, process, socket, user 1. Host dataset works for Windows, macOS, and Linux and is using system APIs for the most part 2. Process dataset works for all three OS as well, and is using /proc on Linux, and system APIs on macOS and Windows

Demo

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

Demo

hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64

Running on Kubernetes

Where to run it DaemonSet

How to run it https://github.com/elastic/beats/tree/master/deploy/kubernetes/ auditbeat

add_docker_metadata add_kubernetes_metadata

Elastic Common Schema https://github.com/elastic/ecs

—- name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The base field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: “@timestamp” type: date level: core required: true example: “2016-05-23T08:05:34.853Z” short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

Elastic SIEM Security Information and Event Management

Demo

PS: Machine Learning aka Anomaly Detection

Elastic Endpoint

Endpoint

Conclusion

Topics Auditd Filebeat, Auditbeat SIEM

Code https://github.com/xeraa/ auditbeat-in-action

Identifier les menaces avec Elastic SIEM David Pilato @dadoonet