Identifier les menaces avec Elastic SIEM

Slide 1

Identifier les menaces avec Elastic SIEM David Pilato @dadoonet

Slide 2

Slide 3

Les incidents de sécurité ont 3 niveaux FYI, WTF et OMG

Slide 4

Slide 5

Découvrir une faille par la presse ou les utilisateurs

Slide 6

Découvrir une faille par les Pirates demandant une rançon

Slide 7

Découvrir une faille par votre facture Cloud

Slide 8

Découvrir une faille par vous-même après les faits

Slide 9

Découvrir une faille par vous-même et pouvoir prouver qu’il n’y a pas eu de dégats

Slide 10

uditd https://github.com/linux-audit

Slide 11

“auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities.”

Slide 12

Pour monitorer Accès fichier et réseau Appels système Commandes lancées par un utilisateur Evènements de sécurité

Slide 13

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Slide 14

Demo

Slide 15

Slide 16

Problem How to centralize?

Slide 17

Developer | Evangelist

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Filebeat Module: Auditd

Slide 24

Demo

Slide 25

Auditbeat

Slide 26

Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration

Slide 27

Auditd Module eBPF powers on older kernels Easier configuration Written in Golang

Slide 28

Demo

Slide 29

! !”

Slide 30

https://cloud.elastic.co

Slide 31

System Module Simpler syntax for host, process, socket, user 1. Host dataset works for Windows, macOS, and Linux and is using system APIs for the most part 2. Process dataset works for all three OS as well, and is using /proc on Linux, and system APIs on macOS and Windows

Slide 32

Demo

Slide 33

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

Slide 34

Demo

Slide 35

hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64

Slide 36

Running on Kubernetes

Slide 37

Where to run it DaemonSet

Slide 38

How to run it https://github.com/elastic/beats/tree/master/deploy/kubernetes/ auditbeat

Slide 39

add_docker_metadata add_kubernetes_metadata

Slide 40

Slide 41

Elastic Common Schema https://github.com/elastic/ecs

Slide 42

—- name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The base field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: “@timestamp” type: date level: core required: true example: “2016-05-23T08:05:34.853Z” short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.