Using Kibana and Beats for Security Analytics

This post is part of the Elastic{ON} 2018 blog series where we recap specific demos and related deep-dive sessions from the conference. From machine learning forecasting to APM to security analytics with Mr. Robot — check out the list at the bottom of this post.

Detecting security breaches and performing post-detection adversary activity tracking can be frustrating and time-consuming work. But it doesn't have to be. In this demo Asawari Samant, Director of Product Marketing at Elastic, shows how the Elastic Stack can be used to detect security breaches and investigate the who, what, where, and how behind it.

So, how can the Elastic Stack identify and locate the source of security breaches? It all starts with data collection. In this fast-paced demo, Asawari demonstrates how lightweight data shippers called Beats (specifically Winlogbeat for Windows event logs and Packetbeat for network data) can be used to simplify log collection.

Kibana provides data visualization and exploration layers for sleuthing out potential malicious activity, letting users drill in and out as needed to follow the trail of a potential threat. Employing the anomaly explorer view, Asawari shows how users can zoom into anomalies to see where they occurred, when they occurred, and the severity of the issue. Using machine learning influencer analysis, she then demonstrates how users can determine which hosts and domains contributed to the detected activity.

Asawari then outlines how the time series visualization features in Kibana can create dynamic views of flagged events such as successful logins from anonymous users. From there, users can also see whether honey files (sensitive or critical files within a system) have been accessed, scrutinize network traffic for chatter between hosts, determine which users were in control of that activity, and locate the potential offender.

For analysts working to address a breach post detection, speed at scale is key. Working together, Elasticsearch, Kibana, Beats, and Logstash changes your relationship to data, providing fast results to queries so you can follow issues at the speed of thought.

Want to see the demo in action? Watch the video above. If your inner detective is inspired by all that the Elastic Stack can accomplish, take a deep dive into security analytics with Jingsi Xia and Rajesh Hari in Ferreting out Financial Fraud at Discover Financial or A Security Analytics Platform for Today with Samir Bennacer and Kevin Kenney.

See what else we covered during the conference in these recaps: