Visualize your threats with Elastic SIEM David Pilato @dadoonet
Slide 1
Slide 2
Security incidents come in three levels FYI, WTF, and OMG
Slide 3
Learn about a breach From the press or users
Slide 4
Learn about a breach Attackers asking for a ransom
Slide 5
Learn about a breach Cloud provider’s bill
Slide 6
Learn about a breach Yourself after the fact
Slide 7
Learn about a breach Yourself & you can prove no harm
Slide 8
uditd https://github.com/linux-audit
Slide 9
Demo
Slide 10
Slide 11
Problem How to centralize?
Slide 12
Developer | Evangelist !
Slide 13
Slide 14
Filebeat Module: Auditd
Slide 15
Demo
Slide 16
Auditbeat
Slide 17
Demo
Slide 18
System Module host, process, package, socket, login, user
Slide 19
Demo
Slide 20
File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
Slide 21
Demo
Slide 22
Slide 23
Elastic Common Schema https://github.com/elastic/ecs
Slide 24
—- name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The base field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: “@timestamp” type: date level: core required: true example: “2016-05-23T08:05:34.853Z” short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
Slide 25
Elastic SIEM Security Information and Event Management
Slide 26
Demo
Slide 27
Slide 28
Code https://github.com/xeraa/ auditbeat-in-action
Slide 29
Visualize your threats with Elastic SIEM David Pilato @dadoonet
