Visualize Your Threats with Elastic SIEM

A presentation at stackconf in in Berlin, Germany by David Pilato

Knowing what is going on in your environment is an important part of staying on top of security issues. But how do you capture relevant metrics and visualize them? One widely-used tool for that job is the Elastic Stack, formerly known as the ELK stack. This talk shows how to ingest relevant metrics from your network and hosts as well as how to easily visualize them to find suspicious patterns and behaviors. We will be also using the latest tool named SIEM.

We will use real-world honeypot data for this example:

  • The first step is to parse and enrich the data, so we can identify actual attacks, their origin, and more.
  • Then we store and explore the data to find meaningful insights.
  • Which leads us to visualize specific attributes — like the location of an attacker or patterns in the attacks.
  • Building upon this we can combine visualizations into dashboards, giving a broader overview.
  • Finally we will use the Kibana SIEM app to see how everything is now getting easy to track for attacks.

Everything done live.

Video

Resources

The following resources were mentioned during the presentation or are useful additional information.

Buzz and feedback

Here’s what was said about this presentation on Twitter.