SlideShare ist ein Scribd-Unternehmen logo

Countering Threats with the Elastic Stack at CERDEC/ARL

Elasticsearch
Elasticsearch

See how the CERDEC/ARL leverages the Elastic Stack to gain critical insights into activities and trends among the networks they cover and enables research into new methods of protecting our nation’s defenses.

Technologie
1 von 15
Downloaden Sie, um offline zu lesen
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE U.S. ARMY RESEARCH, DEVELOPMENT AND ENGINEERING COMMAND DR. CURTIS ARNOLD CHIEF, SUSTAINED BASE NETWORK ASSURANCE BRANCH CERDEC 25 OCT 2018 Elastic{ON} Tour 2018
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 2 Premier Laboratory for the advancement of Cybersecurity at the speed of Cyber. Vision SBNAB CORE BUSINESS FUNCTIONS Collaborating with other Cybersecurity Leaders amongst DoD, EDU, and Private Industry Cybersecurity Research Cybersecurity Tool Development Cyber Insider Threat Cybersecurity Service Provider (CSSP) Army Cyber- research Analytics Laboratory (ACAL) Assessments Mission Conduct Defense Cyber Operations and research, by leveraging real time operational data through the application of new technologies and advanced analytics to confront the most sophisticated and damaging cyber threats. Integrated Partners
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 3 CYBERSECURITY SERVICES PROTECT DETECT RESPOND SUSTAIN ▪ Vulnerability Assessment & Analysis ▪ Vulnerability Management Program ▪ Malware Protection ▪ INFOCON/CPCON ▪ Information Security Continuous Monitoring ▪ Insider Threat ▪ Warning Intelligence ▪ Attack Sensing and Warning ▪ Cyber Incident Handling ▪ Program Management ▪ Personnel ▪ Security Administration ▪ 24X7 Information Systems and Networks Support See DODI 8530.01, Cybersecurity Activities Support to DOD Information Network Operations and the Evaluator Scoring Metrics (ESM), DoD Cybersecurity
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 4 • RDECOM CSSP reviewed DOD Cloud CONOPS, ARCYBER Cloud CONOPS, and DOD Cloud Computing SRG for requirements • IaaS, PaaS and SaaS • Impact Level 2,4,5 Offerings support: • Endpoint coverage • Vulnerability coverage • Cloud Service Provider collaboration • Web assessment for annual validation • Remote cyber inspection assessment • Threat Identification • Network Flow integration • API Calls and Configuration Monitoring • Unauthorized sources (such as IP addresses) • ACL Changes • Large number of Instances (Virtual Machines) being shut down or powered up CLOUD CSSP OFFERING
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 5 OUR ROLE AS A CSSP IN THE DOD We come from Research roots (ARL) – Using only standard tools for network security analysis has never been sufficient for us – We are constantly developing and improving tools and techniques for discovering changing threat landscape – Always looking to take advantage of new technologies and capabilities in advanced computing and algorithm development We lead the DoD by ‘solving the hard problems’ that nobody else wants to tackle
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 6 THE NEED FOR DISTRIBUTED SEARCH Traditional network-based sensors are losing their visibility – Data is more commonly encrypted – Growing application space necessitates unachievable growth in network data normalization and signature generation – Defense-in-depth for back-doors in to network Log data from appliance, OS, and application layers can provide additional insight in support of traditional tools – Many sources of semi-structured data Managing and ‘mining’ these all these new data sources requires fast, scalable, and robust search and analysis capabilities
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 7 Data is streamed from multiple sources to central location –”RAW” data gets saved to cloud storage –Data gets processed, filtered and enriched –Data is ingested into Elastic Cloud Enterprise (ECE) cluster CLOUD DATA INGEST Flow logs from CSP Data Ingest API Logs from CSP Application Logs Cloud Storage ECE
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 8 SCALABILITY – The more data sources you have, the more insights and effective analysis can be done – Ability to do cross-site analysis with data compartmentalization • Customer sites see only their own data • CSSP analysis can correlate across sites
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 9 –“Interactive”-class latency • Allows analysts to “hunt” and follow various leads and pivot through data in continuous thought process LATENCY
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 10 Availability / resiliency – 24/7/365 operations in support of many different “threads” of analysis – Maintainable platform without too much overhead AVAILABILITY
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 11 ELASTIC CLOUD ENTERPRISE ECE enables more course-grained separation of data from different sites – Each customer gets their own cluster and ability to see their data and administer user base to some degree. X-Pack features such as field-level authorization enable different roles within the CSSP or customer groups Machine learning complements our existing efforts to explore data
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 12 HOW WE USE ELASTIC Policy enforcement – Data artifacts can directly identify policy violations – Alerts on collected data support reportable Anomaly detection: “Hmmm… That looks weird” – Human and machine anomaly detection Hunting – Start with a hunch and interact with data to find interesting activity Turn these in to searches – Suspicious activities can usually be expressed as a search that can be shared, visualized or “turned in to a snort rule” Programmatic access – REST APIs are enablers for outside analysis
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 13 DETECTING POLICY VIOLATIONS • Shift to Cloud is still relatively new to the DoD • Policy alignment with on-prem requirements is sometimes lost in translation to cloud • We can detect and visualize actions taken on cloud resources where multi-factor authentication has and has not occurred. • The fact that this type of search and visualization is so quick and easy to render allows our analysts to express and convey the state of security easily to those that are in the position to remediate
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 14 UN-MONITORED CLOUD USAGE • DoD sites deploying to cloud must have a CSSP for cloud instance • Sites accessing cloud management resources in a regular pattern are more likely to have deployed to cloud • This is distinguishable from sites that merely access other people’s cloud resources • A simple analysis that is easy to express with data and visualization capabilities and then monitor for unauthorized behaviors
APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 15 QUESTIONS

Empfohlen

Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFBMonitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Elasticsearch
 
Achieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impactAchieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impact
Elasticsearch
 
The Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management SystemThe Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management System
Elasticsearch
 
Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic StackEmpower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
Elasticsearch
 
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
Elasticsearch
 
Log Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNLLog Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 

Empfohlen

Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFBMonitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Elasticsearch
 
Achieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impactAchieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impact
Elasticsearch
 
The Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management SystemThe Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management System
Elasticsearch
 
Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic StackEmpower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
Elasticsearch
 
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
Elasticsearch
 
Log Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNLLog Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackSiscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Elasticsearch
 
Security Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackSecurity Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic Stack
Elasticsearch
 
Elastic at KPN
Elastic at KPNElastic at KPN
Elastic at KPN
Elasticsearch
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elasticsearch
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
Elastic @ John Deere
Elastic @ John DeereElastic @ John Deere
Elastic @ John Deere
Elasticsearch
 
Infrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insightInfrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insight
Elasticsearch
 
Will County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataWill County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with Data
Elasticsearch
 
Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box
Elasticsearch
 
Logging, indicateurs et APM : le trio gagnant pour des opérations réussies
Logging, indicateurs et APM : le trio gagnant pour des opérations réussiesLogging, indicateurs et APM : le trio gagnant pour des opérations réussies
Logging, indicateurs et APM : le trio gagnant pour des opérations réussies
Elasticsearch
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
Hunting for Evil with the Elastic Stack
Hunting for Evil with the Elastic StackHunting for Evil with the Elastic Stack
Hunting for Evil with the Elastic Stack
Elasticsearch
 
Palestra de abertura: Evolução e visão do Elastic Observability
Palestra de abertura: Evolução e visão do Elastic ObservabilityPalestra de abertura: Evolução e visão do Elastic Observability
Palestra de abertura: Evolução e visão do Elastic Observability
Elasticsearch
 
Managing the Dewey Decimal System
Managing the Dewey Decimal SystemManaging the Dewey Decimal System
Managing the Dewey Decimal System
DataWorks Summit
 
Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and vision Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and vision
Elasticsearch
 
CSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic StackCSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
RogerChaucaZea
 
Get Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber SolutionGet Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber Solution
Cloudera, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
 
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackSiscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
 
Security Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackSecurity Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic Stack
 
Elastic at KPN
Elastic at KPNElastic at KPN
Elastic at KPN
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
 
Elastic @ John Deere
Elastic @ John DeereElastic @ John Deere
Elastic @ John Deere
 
Infrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insightInfrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insight
 
Will County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataWill County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with Data
 
Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box
 
Logging, indicateurs et APM : le trio gagnant pour des opérations réussies
Logging, indicateurs et APM : le trio gagnant pour des opérations réussiesLogging, indicateurs et APM : le trio gagnant pour des opérations réussies
Logging, indicateurs et APM : le trio gagnant pour des opérations réussies
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
 
Hunting for Evil with the Elastic Stack
Hunting for Evil with the Elastic StackHunting for Evil with the Elastic Stack
Hunting for Evil with the Elastic Stack
 
Palestra de abertura: Evolução e visão do Elastic Observability
Palestra de abertura: Evolução e visão do Elastic ObservabilityPalestra de abertura: Evolução e visão do Elastic Observability
Palestra de abertura: Evolução e visão do Elastic Observability
 
Managing the Dewey Decimal System
Managing the Dewey Decimal SystemManaging the Dewey Decimal System
Managing the Dewey Decimal System
 
Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and vision Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and vision
 
CSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic StackCSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic Stack
 

Ähnlich wie Countering Threats with the Elastic Stack at CERDEC/ARL

Get Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber SolutionGet Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber Solution
Cloudera, Inc.
 
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
Precisely
 
Big Data Fabric: A Necessity For Any Successful Big Data Initiative
Big Data Fabric: A Necessity For Any Successful Big Data InitiativeBig Data Fabric: A Necessity For Any Successful Big Data Initiative
Big Data Fabric: A Necessity For Any Successful Big Data Initiative
Denodo
 
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
Amazon Web Services
 
The Great Lakes: How to Approach a Big Data Implementation
The Great Lakes: How to Approach a Big Data ImplementationThe Great Lakes: How to Approach a Big Data Implementation
The Great Lakes: How to Approach a Big Data Implementation
Inside Analysis
 

Ähnlich wie Countering Threats with the Elastic Stack at CERDEC/ARL (20)

Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
Get Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber SolutionGet Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber Solution
 
Get started with Cloudera's cyber solution
Get started with Cloudera's cyber solutionGet started with Cloudera's cyber solution
Get started with Cloudera's cyber solution
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT Breakout
 
Houd controle over uw data
Houd controle over uw dataHoud controle over uw data
Houd controle over uw data
 
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
Get a "Farm to Table" View of Your Data: Tracking Data Quality and Lineage, o...
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
 
Big Data Fabric: A Necessity For Any Successful Big Data Initiative
Big Data Fabric: A Necessity For Any Successful Big Data InitiativeBig Data Fabric: A Necessity For Any Successful Big Data Initiative
Big Data Fabric: A Necessity For Any Successful Big Data Initiative
 
Key Database Criteria for Cloud Applications
Key Database Criteria for Cloud ApplicationsKey Database Criteria for Cloud Applications
Key Database Criteria for Cloud Applications
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
 
AWS Summit Auckland - Sponsor Presentation - Splunk
AWS Summit Auckland - Sponsor Presentation - SplunkAWS Summit Auckland - Sponsor Presentation - Splunk
AWS Summit Auckland - Sponsor Presentation - Splunk
 
Splunk MINT and Stream Breakout
Splunk MINT and Stream BreakoutSplunk MINT and Stream Breakout
Splunk MINT and Stream Breakout
 
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
 
Build and Manage Hadoop & Oracle NoSQL DB Solutions- Impetus Webinar
Build and Manage Hadoop & Oracle NoSQL DB Solutions- Impetus WebinarBuild and Manage Hadoop & Oracle NoSQL DB Solutions- Impetus Webinar
Build and Manage Hadoop & Oracle NoSQL DB Solutions- Impetus Webinar
 
How to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and TrustHow to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and Trust
 
The Great Lakes: How to Approach a Big Data Implementation
The Great Lakes: How to Approach a Big Data ImplementationThe Great Lakes: How to Approach a Big Data Implementation
The Great Lakes: How to Approach a Big Data Implementation
 

Mehr von Elasticsearch

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 

Mehr von Elasticsearch (20)

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Countering Threats with the Elastic Stack at CERDEC/ARL

  • 1. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE U.S. ARMY RESEARCH, DEVELOPMENT AND ENGINEERING COMMAND DR. CURTIS ARNOLD CHIEF, SUSTAINED BASE NETWORK ASSURANCE BRANCH CERDEC 25 OCT 2018 Elastic{ON} Tour 2018
  • 2. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 2 Premier Laboratory for the advancement of Cybersecurity at the speed of Cyber. Vision SBNAB CORE BUSINESS FUNCTIONS Collaborating with other Cybersecurity Leaders amongst DoD, EDU, and Private Industry Cybersecurity Research Cybersecurity Tool Development Cyber Insider Threat Cybersecurity Service Provider (CSSP) Army Cyber- research Analytics Laboratory (ACAL) Assessments Mission Conduct Defense Cyber Operations and research, by leveraging real time operational data through the application of new technologies and advanced analytics to confront the most sophisticated and damaging cyber threats. Integrated Partners
  • 3. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 3 CYBERSECURITY SERVICES PROTECT DETECT RESPOND SUSTAIN ▪ Vulnerability Assessment & Analysis ▪ Vulnerability Management Program ▪ Malware Protection ▪ INFOCON/CPCON ▪ Information Security Continuous Monitoring ▪ Insider Threat ▪ Warning Intelligence ▪ Attack Sensing and Warning ▪ Cyber Incident Handling ▪ Program Management ▪ Personnel ▪ Security Administration ▪ 24X7 Information Systems and Networks Support See DODI 8530.01, Cybersecurity Activities Support to DOD Information Network Operations and the Evaluator Scoring Metrics (ESM), DoD Cybersecurity
  • 4. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 4 • RDECOM CSSP reviewed DOD Cloud CONOPS, ARCYBER Cloud CONOPS, and DOD Cloud Computing SRG for requirements • IaaS, PaaS and SaaS • Impact Level 2,4,5 Offerings support: • Endpoint coverage • Vulnerability coverage • Cloud Service Provider collaboration • Web assessment for annual validation • Remote cyber inspection assessment • Threat Identification • Network Flow integration • API Calls and Configuration Monitoring • Unauthorized sources (such as IP addresses) • ACL Changes • Large number of Instances (Virtual Machines) being shut down or powered up CLOUD CSSP OFFERING
  • 5. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 5 OUR ROLE AS A CSSP IN THE DOD We come from Research roots (ARL) – Using only standard tools for network security analysis has never been sufficient for us – We are constantly developing and improving tools and techniques for discovering changing threat landscape – Always looking to take advantage of new technologies and capabilities in advanced computing and algorithm development We lead the DoD by ‘solving the hard problems’ that nobody else wants to tackle
  • 6. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 6 THE NEED FOR DISTRIBUTED SEARCH Traditional network-based sensors are losing their visibility – Data is more commonly encrypted – Growing application space necessitates unachievable growth in network data normalization and signature generation – Defense-in-depth for back-doors in to network Log data from appliance, OS, and application layers can provide additional insight in support of traditional tools – Many sources of semi-structured data Managing and ‘mining’ these all these new data sources requires fast, scalable, and robust search and analysis capabilities
  • 7. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 7 Data is streamed from multiple sources to central location –”RAW” data gets saved to cloud storage –Data gets processed, filtered and enriched –Data is ingested into Elastic Cloud Enterprise (ECE) cluster CLOUD DATA INGEST Flow logs from CSP Data Ingest API Logs from CSP Application Logs Cloud Storage ECE
  • 8. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 8 SCALABILITY – The more data sources you have, the more insights and effective analysis can be done – Ability to do cross-site analysis with data compartmentalization • Customer sites see only their own data • CSSP analysis can correlate across sites
  • 9. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 9 –“Interactive”-class latency • Allows analysts to “hunt” and follow various leads and pivot through data in continuous thought process LATENCY
  • 10. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 10 Availability / resiliency – 24/7/365 operations in support of many different “threads” of analysis – Maintainable platform without too much overhead AVAILABILITY
  • 11. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 11 ELASTIC CLOUD ENTERPRISE ECE enables more course-grained separation of data from different sites – Each customer gets their own cluster and ability to see their data and administer user base to some degree. X-Pack features such as field-level authorization enable different roles within the CSSP or customer groups Machine learning complements our existing efforts to explore data
  • 12. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 12 HOW WE USE ELASTIC Policy enforcement – Data artifacts can directly identify policy violations – Alerts on collected data support reportable Anomaly detection: “Hmmm… That looks weird” – Human and machine anomaly detection Hunting – Start with a hunch and interact with data to find interesting activity Turn these in to searches – Suspicious activities can usually be expressed as a search that can be shared, visualized or “turned in to a snort rule” Programmatic access – REST APIs are enablers for outside analysis
  • 13. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 13 DETECTING POLICY VIOLATIONS • Shift to Cloud is still relatively new to the DoD • Policy alignment with on-prem requirements is sometimes lost in translation to cloud • We can detect and visualize actions taken on cloud resources where multi-factor authentication has and has not occurred. • The fact that this type of search and visualization is so quick and easy to render allows our analysts to express and convey the state of security easily to those that are in the position to remediate
  • 14. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 14 UN-MONITORED CLOUD USAGE • DoD sites deploying to cloud must have a CSSP for cloud instance • Sites accessing cloud management resources in a regular pattern are more likely to have deployed to cloud • This is distinguishable from sites that merely access other people’s cloud resources • A simple analysis that is easy to express with data and visualization capabilities and then monitor for unauthorized behaviors
  • 15. APPROVED FOR PUBLIC RELEASE APPROVED FOR PUBLIC RELEASE 15 QUESTIONS