Elastic Security: Securing your cloud assets with cloud security posture management

Overview

Introduction to Elastic Security

Learn how Elastic Security helps you protect your organization by unifying SIEM, endpoint, and cloud security.

Get your hands on Elastic Security

Experience Elastic Security for yourself with this interactive demo.


Onboard your data

Create an Elastic Cloud account

Get started with a 14-day trial. Create an account on cloud.elastic.co and then follow this video to deploy Elastic.

If you click on Edit setting you can choose a cloud provider, including Google Cloud, Microsoft Azure, or AWS.

Once you select your cloud provider you'll be able to select the relevant region. Make sure the Hardware profile selected is Storage optimized, or Storage optimized (dense). Finally click on Advanced settings to optimize your cluster for security use cases as follows:

  • Hot data and Content Tier
    • Size per zone: 180GB storage
    • Availability zone: 2 zones
  • Frozen data tier
    • Size per zone: 6.25 TB storage
    • Availability zone: 1 zone
  • Machine Learning instances
    • Minimum size per zone: 2GB RAM
    • Maximum size per zone: 64GB RAM
    • Availability zone: 1 zone
  • Kibana
    • Size per zone: 2GB RAM
    • Availability zone: 1 zone
  • Integrations Server instances
    • Size per zone: 1GB RAM
    • Availability zone: 1 zone

After you've selected the above settings click Create deployment.

Once your deployment is ready, select Secure my cloud assets with cloud security posture (CSPM).

Upon selecting Cloud Security Posture Management (CSPM), you'll be prompted to add the integration which enables discovery and evaluation of services in your cloud environment such as storage, compute, IAM, and more so you can identify and remediate configuration risks that could undermine the confidentiality, integrity, and availability of your data in the cloud.

Next, you'll configure the integration. First, you'll select the cloud provider you want to monitor:

  • Amazon Web Services (AWS)
  • Google Cloud (GCP)

The Elastic Security for Cloud CSPM feature can be configured to perform evaluations at the organization level to ensure full coverage or at the individual account level within an organization. Note you will need appropriate permissions, scoped for organizational or account-level access, to complete the setup of CSPM. For an initial proof of concept and the purpose of getting started, we'll choose Single Account.

You can also give it a name and description, but this is optional.

For Setup Access, depending on the cloud provider you wish to monitor, Elastic provides two options:

  • AWS Cloud Formation / Google Cloud Shell: These options use native infrastructure as code (IaC) tools that provision infrastructure inside of your cloud environments automatically. With this option, in a couple of clicks, you'll begin evaluating the security posture of your cloud environments.
  • Manual: The manual option requires you to provision the infrastructure used for CSPM in your environment manually.

For this guide, we'll automatically provision our infrastructure, so select AWS Cloud Formation or Google Cloud Shell.

Be sure you follow the series of steps outlined in Setup Access, which include logging into your cloud provider.

Once you do this, click Save and continue, and you'll see a pop-up modal appear. On the pop-up, you'll see you can launch your preferred native IaC tool to provision the necessary infrastructure inside of your cloud automatically.

Now, a new window will open, taking you to your preferred cloud provider's console. To follow along and experience what it will be like to launch your preferred IaC tool in AWS or GCP once you click Save and continue, follow along in this guided tour.

Provisioning your infrastructure will take a few minutes. As the necessary infrastructure and permissions are getting provisioned, if you navigate back to the Elastic Cloud console where you were adding the Cloud Security Posture Management (CSPM) integration, you'll see an Add agent fly out.

Once all the necessary infrastructure has been provisioned in your cloud, you’ll see that elastic-agent has been enrolled, and posture data is coming in. From here, you can select View Assets.


Working with Elastic Security

Now, it's time to explore your data. Once you click View Assets, you'll be brought to the following page. Let's go through the Dashboard, Findings, and Rules assets together.

Keep in mind that you'll need to do additional configurations if you'd like to enable Cloud Native Vulnerability Management. This isn't needed to get started, but for more information, check out our documentation.

Cloud Posture Dashboard

The Cloud Posture dashboard summarizes the overall security posture of your cloud environments.

  • Number of accounts you've enrolled
  • Number of resources evaluated
  • Failed findings

Your posture score tells you how securely configured your overall cloud environment is.

Findings and alerts

The Findings page displays each individual resource evaluated by the CSPM integration and whether the resource passed or failed the secure configuration checks against it, for more information on Findings, such as how to group and filter them, check out our documentation.

Some rules, more than others, you may want to monitor closely. You can select a finding for that particular rule and click Take action in the lower right. Then click Create a detection rule.

Next click View rule.

Now, you'll see the detection rule, along with its definition. Now, whenever there is a failed finding for this rule, you'll get an alert. To set up other actions, click Edit rule settings on the upper right of the rule page.

Next you'll select, Actions.

From here, you can set up actions. For example, if a rule fails, you set up a Slack message, Jira ticket, etc., so you get a proactive notification to review the failed finding and remediate the misconfiguration. To learn more about detection rules, check out our documentation.

Next steps

Congrats on beginning your Elastic Security journey with Elastic Security for Cloud (CSPM). For more information on CSPM, please review the product documentation. As you get started, be sure to review key operational, security, and data considerations for your deployment to make sure you get the most out of Elastic.