Security with ELK, How to see everything without dying in the attempt

The current state of cybersecurity means that analysts are now duty bound to keep an eye on everything that happens in their systems: the smallest clue might be a sign that the corporate network is under attack by an APT, infected by a ransomware campaign or exploited by an insider to extract sensitive information. SIEM solutions are the best option for dealing with this amount of information, but their rollout can be a daunting prospect. In this context José Pedro Mayo, GMV’s Head of Solution Design and Architecture, has given a paper in “Elastic{ON} Tour Madrid”, talking about GMV’s experience with these solutions to show the key points to look for in any SIEM and how ELK might cater for them.

Proper data management is a current cybersecurity problem. We need to pick up on the least hint the system might be giving us, doing so with efficient, time-saving tools and ensuring transparency in all we do. The best way to do all this is using a Security Information and Event Management (SIEM) system, which provides unified and holistic management of all security events, helps to comply with standards, boosts visibility and cuts down the number of events to be dealt with.

The ELK Stack, for its part, is a set of high-potential, open-code tools that are combined to create a log management tool that provides for monitoring, consolidating and analysis of logs generated in many different servers. The tools comprised in an ELK stack are: ElasticSearch, a search and analytics engine, Logstash, a server-side data-processing pipeline, and Kibana, an analysis and visualization platform.

Any incident response team needs such data-search and centralized data-storage capacities to detect any incidents and trigger alerts within the organization. In GMV’s experience, Elastic as a SIEM solution caters for all these security event management phases: recording logs of the assets of interest, standardizing unstructured information, allowing its indexing, enrichment with additional data (geolocation, DNS solving, etc.), correlating and detecting anomalies (pooling, categorizing and filtering events), reporting and triggering alerts of various types.