Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
0 likes50 views
This document provides an overview of using the Elastic Stack (Elasticsearch, Logstash, Kibana) as a security information and event management (SIEM) solution. It discusses installing and configuring the Elastic Stack components - Elasticsearch for storage, Logstash for processing logs, and Kibana for visualization. It also covers installing support tools like Cerebro. The Elastic Stack is presented as a free and powerful open source alternative to expensive commercial SIEM systems for continuous security monitoring, log aggregation, and alerting.
![Logstash Config File Format
input {
stdin { codec => "json" }
}
filter {
if [event_id] == 123 {
drop { }
}
}
output {
stdout { codec => rubydebug }
}](https://image.slidesharecdn.com/practicalsecuritymonitoringwithelkstackbyjanithmalinga-econ2019-200220035032/85/Practical-security-monitoring-with-ELASTIC-STACK-by-Janith-Malinga-econ2019-31-320.jpg)
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
- 3. Contents ▪ Why continuous security monitoring ▪ Intro to ELK Stack ▪ Install Elasticsearch and Cerebro ▪ Install Kibana and create dashboards ▪ Install Logstash and create config files ▪ Install filebeat agent and forward logs
- 5. Security Systems In Use ▪ Firewall ▪ Antivirus software ▪ Web application firewall (waf)
- 8. New Trends Of Attacks ▪ Supply chain management ▪ Hardware layer
- 9. SIEM
- 10. "In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware." Wikipedia SIEM
- 11. The general perception is that setting up SIEM is a very expensive exercise, however with the right knowledge and skill it can be done at a fraction of the cost.
- 12. Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
- 13. Continuous Security Monitoring ▪ End point security monitoring ▪ Network security monitoring
- 16. Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
- 17. Elastic Stack vs Commercial SIEM ▪ Elastic Stack ▪ Free, Paid support features ▪ Outstanding visualizations ▪ Advanced log enrichments ▪ Capable handling high volume • Commercial SIEM • Licensed on volume, log sources, events per second • Limited log enrichment • High volume = High cost
- 18. Minimum Hardware Requirements ▪ Ram: 8GB ▪ Storage: 40GB ▪ 2 Network interfaces ▪ CPU: 64-bit 2.0+ GHz processor or higher
- 19. ELASTICSEARCH
- 20. Install Elasticsearch #sudo dpkg -i elasticsearch-6.0.0.deb Config files locations:- Elasticsearch has three configuration files: ▪ elasticsearch.yml for configuring Elasticsearch ▪ jvm.options for configuring Elasticsearch JVM settings ▪ log4j2.properties for configuring Elasticsearch logging
- 21. Elasticsearch ▪ Distributed, real-time data store, real-time analysis full text search engine ▪ Opensource ▪ Highly scalable
- 22. Indices, Shards and Replicas ▪ An index is stored on a node, which is a part of a cluster ▪ Indices are broken into shards ▪ Each shard is either a primary or replica ▪ Each log item is a document that contains fields and values
- 23. CEREBRO
- 24. Cerebro ▪ Cerebro is an opensource Elasticsearh web admin tool ▪ Displays cluster health ▪ Makes index managements easy
- 25. Install Cerebro #sudo unzip cerebro-0.7.1.zip -d /opt #sudo mv /opt/cerebro-0.7.1/ /opt/cerebro/ Create a user for cerebro #sudo useradd cerebro Give permissions for the user #sudo chown -R cerebro: /opt/cerebro/ Create a service for cerebro #sudo cp cerebro.service /etc/systemd/system #sudo systemctl daemon-reload #sudo systemctl enable cerebro.service #sudo service cerebro start
- 26. KIBANA
- 27. Install Kibana #sudo dpkg -i kibana-6.0.0-amd64.deb Enable kibana service #sudo systemctl enable kibana.service Start kibana service #sudo service kibana start
- 28. LOGSTASH
- 29. Install Logstash #sudo dpkg -I logstash-6.2.1.deb Config file jvm.options
- 30. Logstash Config File Format input{ } filter{ } output{ }
- 31. Logstash Config File Format input { stdin { codec => "json" } } filter { if [event_id] == 123 { drop { } } } output { stdout { codec => rubydebug } }
- 32. THANK YOU
- 33. FOLLOW US ON /econIntconference @econ_int @int.econ