安全分析
威胁不会遵循模板行事。您也不该这样。Elastic Stack 为您提供了与目前和未来的攻击向量保持同步所需的优势。下文将介绍它是如何做到的。
首先,您的速度必须非常快
攻击并不是假设后果的问题,但何时到来很重要。那么,问问自己,您希望敌手在您的系统中呆多久?
Elastic 专为提高速度而设计,并且在摄取数据时对其进行索引。这样可使您获取信息的时间缩短到几秒钟,并使得各类查询和实时的可视化分析变得简单。
不要像扔垃圾一样丢弃数据,而是把所有数据抛给 Elasticsearch 消化
检测威胁的关键可能来自任何地方。因此,全面了解系统中实时发生的事件就变得至关重要。
Elasticsearch 早餐便可消化 PB 级的数据 — 从防火墙、Web 代理、检测系统到您喜欢的任何来源 — 因此不要再犹豫不决了。
延长数据的在线保留时间以方便调查
它们是什么时候进来的?要去哪里?它们都做了些什么?还有其他哪些方面受到了影响?
要回答这些问题,仅仅将数据保留七天时间是无法进行适当的历史回顾的。一般来说,威胁在得到解决之前可以潜伏 100 天。Elastic 不仅使得搜索长期历史数据成为可能,而且这种方式既实用简单又方便快捷。
创建新鲜事物,增强您的 SIEM
从一块空白的石板开始,创建像 Slack 这样的本土安全解决方案,或者增加现有的 SIEM 投资,例如 USAA。Elastic 还很灵活。如果您没有发现自己的需求,可以构建它或利用开源社区。您不会陷入其中而停滞不前。取得胜利需要开源。
- 身份验证日志
- 审计数据
- NETFLOW
- DNS
- SIEM
身份验证日志
通过 Filebeat System 模块将身份验证日志发送到 Elasticsearch,并使用 Kibana 查看 SSH 尝试登录次数以及其他身份验证活动。
审计事件
收集您的 Linux 审计框架数据并通过追踪审计日志来监控文件的完整性。使用 Auditbeat 将它们发送到 Elasticsearch 以便在 Kibana 中进行分析和可视化。
NetFlow 记录
借助单个命令,Logstash NetFlow 模块可以解析网络流量数据,将事件索引到 Elasticsearch 中,并安装一套随时可用的 Kibana 仪表板。
DNS 流量
使用 Packetbeat 将 DNS 协议数据发送到 Elasticsearch,以便在 Kibana 中进行分析和可视化。快速查看网络上发生的情况:用户访问模式、域活动、查询趋势。
ArcSight 事件
通过 Logstash ArcSight 模块将 CEF 数据传递到 Elasticsearch,以增强您的 ArcSight SIEM。在预先配置的 Kibana 仪表板中体验快速的各类分析和交互式威胁追踪。
立即试用
Note the password for elastic user as <es_pw>
Note the password for kibana user as <kibana_pw>
Modify config/kibana.yml to set credentials for Elasticsearch
elasticsearch.username: "kibana" elasticsearch.password: "<kibana_pw>"
Modify filebeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<es_pw>"
What just happened?
Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing latest system log messages, and reporting on SSH login attempts and other authentication events.
Didn't work for you?
Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.
Note the password for elastic user as <es_pw>
Note the password for kibana user as <kibana_pw>
Modify config/kibana.yml to set credentials for Elasticsearch
elasticsearch.username: "kibana" elasticsearch.password: "<kibana_pw>"
Modify auditbeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<es_pw>"
What just happened?
Auditbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing latest system audit information.
Didn't work for you?
Auditbeat module assumes default operating system configuration. See the documentation for more details.
Note the password for elastic user as <es_pw>
Note the password for kibana user as <kibana_pw>
Modify config/kibana.yml to set credentials for Elasticsearch
elasticsearch.username: "kibana" elasticsearch.password: "<kibana_pw>"
Modify logstash.yml to set NetFlow module details
modules: - name: netflow var.input.udp.port: <netflow_port> var.elasticsearch.username: "elastic" var.elasticsearch.password: "<es_pw>"
Configure NetFlow to export flow events to Logstash via UDP on default port 2055.
What just happened?
Logstash created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing Netflow events.
Didn't work for you?
Logstash module makes a set of assumptions around default configuration of the NetFlow solution, however you can override defaults. See the documentation for more details.
Note the password for elastic user as <es_pw>
Note the password for kibana user as <kibana_pw>
Modify config/kibana.yml to set credentials for Elasticsearch
elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
Modify packetbeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<es_pw>"
What just happened?
Packetbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing details of your DNS traffic.
Didn't work for you?
Packetbeat makes a set of assumptions around defaults, such as default network ports. See the documentation for more details on how to further configure your deployment.
Note the password for elastic user as <es_pw>
Note the password for kibana user as <kibana_pw>
Modify config/kibana.yml to set credentials for Elasticsearch
elasticsearch.username: "kibana" elasticsearch.password: "<kibana_pw>"
Modify logstash.yml to set ArcSight module details
modules: - name: arcsight var.inputs: smartconnector var.elasticsearch.username: "elastic" var.elasticsearch.password: "<es_pw>"
Configure Smart Connectors to send CEF events to Logstash via TCP on default port 5000.
What just happened?
Logstash created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing ArcSight events.
Didn't work for you?
Logstash module makes a set of assumptions around default configuration of the ArcSight solution, however you can override defaults. See the documentation for more details.
- Register, if you do not already have an account
- Log into the Elastic Cloud console
- Select Create Cluster, leave size slider at 4 GB RAM, and click Create
- Note the Cloud ID as <cloud.id>
- Note the cluster Password as <password>
- In Overview >> Endpoints section note Kibana URL as <kibana_url>
- Wait until cluster plan completes
Download and unpack Filebeat
In Filebeat install directory:
Modify filebeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<password>"
What just happened?
Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing latest system log messages, and reporting on SSH login attempts and other authentication events.
Didn't work for you?
Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.
- Register, if you do not already have an account
- Log into the Elastic Cloud console
- Select Create Cluster, leave size slider at 4 GB RAM, and click Create
- Note the Cloud ID as <cloud.id>
- Note the cluster Password as <password>
- In Overview >> Endpoints section note Kibana URL as <kibana_url>
- Wait until cluster plan completes
Download and unpack Auditbeat
In Auditbeat install directory:
Modify auditbeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<password>"
What just happened?
Auditbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing latest system audit information.
Didn't work for you?
Auditbeat module assumes default operating system configuration. See the documentation for more details.
- Register, if you do not already have an account
- Log into the Elastic Cloud console
- Select Create Cluster, leave size slider at 4 GB RAM, and click Create
- Note the Cloud ID as <cloud.id>
- Note the cluster Password as <password>
- In Overview >> Endpoints section note Kibana URL as <kibana_url>
- Wait until cluster plan completes
Download and unpack Logstash
In Logstash install directory:
Modify logstash.yml to set Netflow module details
modules: - name: netflow var.input.udp.port: <netflow_port> var.elasticsearch.username: "elastic" var.elasticsearch.password: "<password>"
Configure NetFlow to export flow events to Logstash via UDP on default port 2055.
What just happened?
Logstash created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing NetFlow events.
Didn't work for you?
Logstash module makes a set of assumptions around default configuration of the Netflow solution, however you can override defaults. See the documentation for more details.
- Register, if you do not already have an account
- Log into the Elastic Cloud console
- Select Create Cluster, leave size slider at 4 GB RAM, and click Create
- Note the Cloud ID as <cloud.id>
- Note the cluster Password as <password>
- In Overview >> Endpoints section note Kibana URL as <kibana_url>
- Wait until cluster plan completes
Download and unpack Packetbeat
In Packetbeat install directory:
Modify packetbeat.yml to set credentials for Elasticsearch output
output.elasticsearch: username: "elastic" password: "<password>"
What just happened?
Packetbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing details of your DNS traffic.
Didn't work for you?
Packetbeat makes a set of assumptions around defaults, such as default network ports. See the documentation for more details on how to further configure your deployment.
- Register, if you do not already have an account
- Log into the Elastic Cloud console
- Select Create Cluster, leave size slider at 4 GB RAM, and click Create
- Note the Cloud ID as <cloud.id>
- Note the cluster Password as <password>
- In Overview >> Endpoints section note Kibana URL as <kibana_url>
- Wait until cluster plan completes
Download and unpack Logstash
In Logstash install directory, run:
Modify logstash.yml to set ArcSight module details
modules:
- name: arcsight
var.inputs: smartconnector
var.elasticsearch.username: "elastic"
var.elasticsearch.password: "<password>"
Configure Smart Connectors to send CEF events to Logstash via TCP on default port 5000.
What just happened?
Logstash created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing Arcsight events.
Didn't work for you?
Logstash module makes a set of assumptions around default configuration of the ArcSight solution, however you can override defaults. See the documentation for more details.
自动执行异常检测,探索奇怪的连接
如何与数十亿的签名保持同步?亦或在数百万个 IP 地址中建立有意义的连接?将机器学习和图分析添加到您的 Elastic 方程中,以便在繁杂喧嚣的环境中快速检测网络威胁 - 无论是您预料到的威胁还是您没有预料到的威胁。
很多公司有同样的苦恼
USAA 一开始在其安全实验室中使用几个 Elasticsearch 节点。而现在,他们拥有一套完整的在生产环境部署,增强的 ArcSight SIEM。在此之前,USAA 第一出动人员曾经需要等待日志管理设备花费几分钟(甚至几小时)的时间来进行查询,以生成威胁追踪分析的输出结果。而有了 Elastic,他们再也不用这样了。
他们只是使用 Elastic 管理安全事件的众多公司之一。探索更多客户示例。
