Building An Enterprise Grade Security Analytics Platform Using Elastic Stack

Trainer Names: Himanshu Kumar Das & Prajal Kulkarni
Title: Building An Enterprise Grade Security Analytics Platform Using Elastic Stack
Duration: 2 Days
Dates: 4^th - 5^th March 2020

Short Abstract

Some of the prevalent top challenges into infosec ecosystem most companies are spending their effort, surfaces from dealing with data leaks, multiple forms of phishing attacks, ransomware attacks and DDoS. In many cases, companies take a reactive approach after an incident breakout. This retrospective provides lots of avenues for the security team to take a blue team approach and move the bar to the proactive side. We are teaching a technical training which will help you to understand on how to start setting up an ELK pipeline and gradually add data points from multiple sources like firewall, application servers, system, etc. to gain more visibility across your organization.

Full Course Abstract

During 2 days of our class:

• We will have very collaborative exercises on each topic from our syllabus between all the participants. Also, enabling participants to apply some of their ideas in the class.
• You will get an in-depth understanding of how to identify the right set of data sources for security analytics, how to correlate and how to enrich those data sources to identify anomalies, all of these from within your organization. We will also cover some real-world case studies(threat intel, pentesting) as well.
• We will take a platform focused approach(cloud/data centers) and teach the class about some of the most popular open source frameworks like MITRE ATT&CK Framework, osquery by integrating these into ELK Stack

At the end of our training, participants will walk away with a VM lab containing all of the custom scripts, custom configurations, slides with all the commands and notes from our training.

Course Syllabus/Outline

Day 1

• Guide to local lab setup (1 hour)
  • Overview of local lab setup (30 minutes)
  • Starting the Lab VM (10 minutes - another 15 to 20 minutes for debugging any technical issues

Prologue on Elastic Stack

• Elasticsearch (1 hour)
  • Terminologies in Elasticsearch (10 minutes)
  • How Indexing works in Elasticsearch (20 minutes)
  • Elasticsearch Plugins (Overview & hands-on) (10 minutes)
  • Exercise - (Elasticsearch API's) (20 minutes)
• Logstash (1 hour)
  • Overview of Logstash components (10 minutes)
  • Understanding logstash configurations (10 minutes)
  • Exercise - (Logstash & Elasticsearch integration) (40 - 45 minutes)
• Grok Filters (30 minutes)
  • Introduction to Grok filters (5 minutes)
  • Pattern matching using Grok filters ( 10 minutes)
  • Exercise - Normalizing Logs using Grok Filters (firewall, web server, Syslog, custom logs, etc.) (20 minutes)
• Kibana (15 Minutes)
  • Overview of Kibana (10 minutes)
  • Elasticseach & Kibana Integration. (5 minutes)
• Beats (1 hour - 1.5 hours)
  • Overview of Beats Libraries (10 minutes)
  • Streaming & Centralizing Events and Logs using Beats Library (30 minutes)
  • Exercise - Collect and correlate logs (Auditbeat, Packetbeat, Filebeat) (40 minutes)
• Elastic Stack as Security Analytics Platform (30 minutes)
  • Best practices - security standpoint (10 minutes)
  • Scaling Elastic stack in production (20 minutes)
• Interpolation of Security Events into Elastic Stack (1 hour)
  • Implementing & Scaling RASP (Runtime Application Security Protection) - ModSecurity (10 minutes)
  • Exercise - ELK integration with ModSecurity. (20 minutes)
  • Case Studies on Layer 4 & Layer 7 attacks (30 minutes)

Day 2

Deep Dive into Kibana

• Visualizations (1 hour)
  • Extended Overview of Kibana. (10 minutes)
  • Exercise - Security Analytics Visualization & Dashboard Management (40 - 45 minutes)
• Alerting (1.5 hours)
  • The significance of alerting. (10 minutes)
  • Evolution of Alerting(From script to feedback based actionable alerts). (20 minutes)
  • Anomaly alerting using Elastalert. (10 minutes)
  • Exercise - Elastalert(Frequency & Spike). (30 - 45 minutes)
• Epilogue - Elastic Stack (15 minutes)
  • X-Pack for Security (10 - 15 minutes)

Approaching Internal Security Threats

• Osquery (1.5 hours)
  • Overview(modes, queries, packs) (20 minutes)
  • osquery for anomaly detection (20 -30 minutes)
  • Exercise - File Integrity Monitoring. (10 minutes)
  • Kolide - osquery in production (Exercise - setup & scale) (20- 30 minutes)
• Telemetry against Red Teaming (ATT & CK) (1 hour)
  • Overview of Kill Chain (10 minutes)
  • Attack Simulation (20 minutes)
  • Mapping ATT&CK using Osquery (30 minutes)
  • Kolide - osquery in production (Exercise - setup & scale) (20- 30 minutes)

Case Study

• Vulnerability Management Using ELK (20 minutes)
• WAZUH & ELK Integration (20 minutes)
• Threat Intelligence using ELK (15 - 20 minutes)

Additional Course Details

Each topic in our course has a story line. We usually start our topics with a basic theoretical explanation and then move on to connecting the topic with a real world use case;includes but not limited to:

• challenges one could face in a setup/configuration
• how to leverage the topic under discussion in an enterprise setup
• strong explanation on what problem could be solved by topic in discussion
• exercise to get an hands-on experience
  E.g. topic: elasticsearch
• We take the first topic of our class on elasticsearch, briefly talk about how elasticsearch project evolved and what problem does it solves. We explain production setup for elasticsearch and challenges one could face during setup/scaling. Next, we move to hands-on and using head plugin we engage with participants to help them understand how indexing happens in elasticsearch via leveraging elasticsearch REST API.

Some of the topics(e.g. shipping logs to central machine) requires us to divide our participants into groups(viz. shipper and indexer) so that participants can understand the concepts easily and enable them to debug challenges they could face during actual production setup.

For topics like alerting where we have 4-5 types of alerting. We explain the configuration/settings and rule for 1 alert type to our participants. Once they are confident, we do a classwork with other rule types and ask participants to do it themselves.

Each topic in our class has a strong emphasis points. E.g. Setup of elasticsearch is very important, similarly, setup of logstash may not be very important but configuration of logstash is crucial. Whereas, alerting the right way is important. During our discussion/exercise, we ensure these key points are being conveyed to participants.

Our VM is preconfigured with setup on elastic stack and we place most of the config file inside VM to ensure we don't spend time in setting up or installing any part of software/code.

We have a local etherpad setup during our training which allows participants to paste their errors, ask questions, share commands so that everyone in class could leverage the information.

Who Should Take This Course:

This training is meant for security enthusiast, DevOps, and companies trying to build an in-house centralize security analytics platform seamlessly. This training will be a great learning to set-up enterprise grade and affordable Security Analytics Platform.

Student Requirements

• Basic understanding of linux and windows commands
• Fundamentals of Network TCP/IP
• Cloud forensics for discovery and attacks
• Basic understanding of python scripting

What Students Should Bring

• A laptop with administrator privileges.
• 30 GB of free Hard Disk Space.
• Ideally 8 GB of RAM but minimum 4 GB
• Laptop should have a working wireless and wired/Ethernet connection.
• Latest Oracle Virtualbox(preferred) or VMWare Workstation or VMWare Fusion installed
• Other virtualization software might work but we will not be able to provide support for that.
• Note: We do not support Windows XP.

What Students Will Be Provided With

• Customize virtual machine with all the course details.
• References to scale Elastic stack in production.
• Slides presented during our training.
• USB drive which has our course virtual machine.

About the trainers

Himanshu Kumar Das

Himanshu Kumar Das is a security architect with expertise on Infrastructure and Payments security. Himanshu has spent most of his career in building in-house infrastructure security platforms and products. He is also passionate about system security and fuzzing. He participates in CTF with team SegFault, has won Nullcon JailBreak 2012 and had been architect for HackIM CTF since 2012. While away from computer, he spends his time playing console and enjoys cooking.

Prajal Kulkarni

Prajal Kulkarni, is a Security Researcher currently working with Flipkart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web, mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com). Code-Vigilant has disclosed over 200+ vulnerabilities in various WordPress plugins and themes. In the past, he has disclosed several vulnerabilities in the core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and provided trainings at NullCon2015, NullCon2016,NullCon2018, Confidence 2014, Gracehopper 2014 etc.