KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. Yeah. I hope you had all good lunch and are ready for the next next session. Yeah. Maybe let me introduce myself real quick. Yeah. My name is Matthias. I'm a solution architect at elastic and I'm, I have a background in security. So I worked in computer forensics. I did lot of computer forensic investigations internationally and before joining elastic. And now I'm a solution architect at elastic and responsible for all our solutions. So security search observability.
So I do all the technical things and help our clients to get the most out of the elastic stack and elastic technology Stephan. Okay. I can also introduce myself. I'm Stephan Hans. I'm running the solution architecture team for central EA, which includes Switzerland, Austria, and the Eastern Eastern European countries Matthias my team. And I'm super proud that he will give the presentation. And later on also the demo.
Yeah, we, we are happy to have you here. We will start with our presentation a lot about a little bit.
Hey, what about elastic bio? Are these guys talking about security? Right?
And, and then we give a little bit of a background, but over security related and Matthias promised me in each slide, which does not really relate directly to security to have a command. And I will challenge him on that one. So we will have a little bit of, of fun, I think, Matthias stages yours. Right? So I'm sitting here waiting for any feedback. So because we're a very small audience and it's, I mean, we are all old and wise and we should nearly all old vice, but we should, we should just not, we should, you can interrupt us. Right.
So don't just, don't, don't go into a Niana or just ask us if you are, it's something unclear or you want to have a feedback for us, so it's more than welcome. Okay.
Matthias, move on. Okay, then.
Yeah, a bit about the agenda. Before we jump into the live demo, where I will show you a threat hunting experience.
I want to, I want to mention some background information about elastic as the, the company, the technology behind it, and about how to get data into elastic stack, how to analyze the data and definitely about elastic security, our security solution on, on top of the elastic stack in the second half of the workshop. So at 12, at one, no, sorry, two 15. We will have capture the flag.
So it's a workshop which starts very simple and you get to, you know, you get to know our solution and you can participate in, in the second part in the capture, the flag at, at two 15, if you want, if you bring, if you brought your own laptop. So let me start with a quick introduction. Searching, searching data is, is growing day by day. I think I read a recent survey that showed that 60% of all the participants of that survey. They said they spent more time on searching than on writing emails on a daily basis.
So you can see that search is a lot of our daily work and, and we see security as a similar problem. It's a it's it's related to a data problem. So elastic was found was founded as a, as a search company and in, in 2012. And since then a lot has changed. So elastic is now a public traded company on the New York stock exchange. It has now a couple of thousand employees around the world and it's growing day by day. Maybe let me start with a quick question to your audience, maybe in the audience here, the one virtually can also write into the chat who have you have used the last six stack before?
So who knows the, okay. Right.
So it's a, a mixed audience, a mixed, a mixed answer, I would say. But for those of you who haven't used elastics stack chances that you use it in one of our technologies are quite high. So let me give you an example, Uber, if you ever search for a ride on Uber, then elastic is what powers to search. So it connects you with the driver. And this engine behind this is powered by elastic search technology. Another example is Yelp.
So if you ever searched on, on for a restaurant on Yelp, that let's say a burger place that has open at midnight and only allows credit cards, then that's exactly what elastic search did. So elastic is hidden under a lot of apps and websites that probably used on a daily basis with just a few on this slide. But if you are asking yourself, why is he telling me this? I thought it's about security. Then let me tell you that this is actually, we see security as a similar problem.
So if you have a data incident or a, a breach or anything else in your company, then you usually have to deal with a lot of data and you have to search the data. You have to find the needle in the haystack in a very short amount of time. So the clock is ticking during such events.
And, and that's what we that's, that's why elastic is, is, is, is good for that use case because we deal with data since, since the beginning. So about the technology, the elastic stack consists of a couple of layers. And in the middle in the heart of elastic stack is elastic search.
This is, this is our heart. This is where we store the data. This is what enables fast searches. So allows you to search through big amount of data in, in, in very fast. And it scales up from one node cluster to 300 node cluster, without the problem below the elastic search, we have our beats, this is our interest layer. So in a security context, this is important because you probably have to deal with a lot of different sources that you want to interest.
It might be fiber logs, proxy, logs, you know, network devices, applications, and so on and so on and on top of elastic search and the interest layer we have Keyana. This is our user interface is our graphically UI.
Our yeah, the way your Analyst would probably interact with the elastic stack. And on top of the whole stack, we have our security solutions, right? This is elastic search elastic, sorry, elastic enterprise price, search observability, and security. And today we mostly talk about security, but just want to mention that all those solutions they can be used interchangeably. So sometimes it makes sense to use the security solution, although, although you are working on an observability use case and the other way around, so it's always a whole, a whole package.
You don't have to, you know, install different modules or buy different packages, or so it's one big platform that allows you to do everything. And below that you can see where we deploy our stack. So it can be deployed everywhere. You can install it on a small office server that you have under your desk, but you can also run it on the cloud. On the elastic cloud, you can run it in self-managed way with one of our two orchestration tools.
So it's yeah, literally up to you where you want to install elastic elastic as the technology was founded, or yeah, under three principles and this three principles are speed, scale and relevance. So let's maybe start with the middle with scale in a security context.
The, you always have to, you always need a lot of data to, to work on your security cases. So you need to store a lot of data and you need to keep them for a long time, but you don't want to do is you don't want to decide that you cannot keep certain logs for a longer amount of time, or you have to decide which logs to keep just because the solution cannot scale. So that's why it's very important in security context to scale up speed.
Of course, I think a good op security operations team needs to react to the cases very fast. So as soon as something hits, you want to be able to detect it in order to prevent further damage. That's why speed is important and relevance. Yeah. In context of security analytics means you need to find the needle in the haystack, and this could be, you know, everything, it could be a security log entry, it could be an external threat intelligence item or something completely different that you want to find.
So all these three principles combined, we follow throughout the, the whole, the whole platform. Let me start with data onboarding. So we talked about the stack and how it works, but how do you get the data actually into your platform? And in a security world, we want to collect data from various sources. I mentioned that, so you probably have your network devices, your applications, you have your proxy service, your firewalls. And so on that all produce logs and data that you want to collect for security context to analyze. And one of the ways to do so is using beats.
So beats are our lightweight data shippers, like our small helpers that usually fulfill a certain but single purpose. So for example, there is a thing called file beat that interests files usually lock files from different sources. There are also different modules available. So for example, for file beat, we have 60 or 70 modules available to collect logs from, you know, Cisco devices from my SQL databases, from red stores, from Apache and so on. And so on that you can use and that make it very simple to interest the data. So you just need a couple of clicks and the B is running.
There are also other beats available like audit beats for audit data. Winlock beat for windows events, metric, beat for metrics and so on and so on. And we even have around more than hundred, I think now community driven beats that are also available out there. In addition to beats, we also offer integrations and most of which actually run on beats are built on top of beats. But what they try to do is they try to make the interest as easy as possible for you. So you simply choose one of the integrations.
If you have, let's say an APA of web server, you click on the integration and it gives you two commands that you need to run and to interest the data into your elastic cluster. So, and the third option, which is our newest invention in terms of data onboarding is elastic agent. So we had situations on the left side where one of our clients had to install, file beat metric, Bevin lock, beat all on the same system because they wanted to collect the data from, you know, the logs, the metrics, and also the windows events to elastic search.
And so they had to install three, so three beats and had to maintain these three beats, configure them, keep them up to date and so on and so on. And that's why we decided we want to have one single step, which is easy to use. And this is elastic agent. So right now you only need to install the agent on one of your machines. And the agent then is centrally managed from what we call fleet. So as soon as you install the agent on your Linux, windows, Mac hosts, clients, whatever you can centrally manage those agents and install integrations on, on, on those machines.
So the only thing you need to go to that server is to in install the agent and after that, everything can be done centrally. So you have different integrations available to collect, you know, logs, so logs metrics and so on. And so on The main advantage of using one of those solutions, I just showed you and the integrations are agent or beats is the data's already normalized. And that's what we call ECS is elastic common schema. So ECS is the normalization in general is the only way to, you know, combine logs or correlate logs from different sources.
So at the beginning, we had things like this on top where each system has a different way of naming the fields. So the same field on Apache would, would be called Apache to access remote IP and on a different system. It would be called maybe source underscore IP. So what ECS does is it normalizes all of that into one into the same, into the same Syntex. And that's very important to, to, in a security context, to write detection rules, to correlate events between different sources and so on and so on. Okay. So now we got the data into the system.
We, we know how it's, how it's stored, but we also need to think about data management. And I said at the beginning, what you don't want to have is it's situation where you end up where you have to decide which locks to collect, or you have to drop locks because it's just too expensive to store them. And that's why we introduced frozen tier. So in data management, we think of tiers. The data comes in in the hot tier, then moves to a warm tier cold tier and eventually frozen tier. And what frozen allows you to do is allows you, you to store your data very efficiently in a cheap object stores.
So something like Amazon S3 or Google cloud storage and so on. So you don't have to decide, or you don't have to make decisions of how long you want to store your data based on how expensive it is. It's just laying in an object. So you can still work with that. And the great thing, you know, beside that it's very cost effective and, and still quite fast. The great thing about that is it's integrated into the solution.
So the Analyst don't need to, you know, as we previously did go to go to your archives, maybe on a tape, restore the tapes, get data out of the archives, put them everything back into elastic. That's all not necessary. They are just on a frozen tier and can be accessed within our solution the same way as the new data. And this allows you to store data for months, years, as long as you need them. In addition to, you know, how long you want to store your data, you also need to think about who has access to the data, which from a security perspective is very important topic.
So beside your standard security controls like role based access control or attribute based access control, we, we even go one step further. We have a thing called document level access security, where you can basically, so in elastic, everything is start in an index and in an index you have documents.
And each, each item is in, is a document. And with document level access control, you can say that a certain role or user only has access to certain documents in your index. So you can very fine grain set. Those access controls and field level access control is even one step further. So for each document, you can say that a certain role, a user has only access to certain fields of that document.
So you could say that for my users that I have in my elastic search index, I want one of my departments to only see the first and last name, but not the phone number and email address, things like that. So you are very flexible on how to, how to grant access before coming to the security solution and all the details about that. I have two more slides that I want to mention, and this is EQL. So EQL is event, event query language.
And this is our event based time series query language that allows you to correlate logs and to build things like detection rules, and it can be used throughout the whole stack, but actually it was created for, for threat hunting investigations. So here you can see a very simple example where certain authentication events have to occur within 15, second time span. And it's yeah, it's, it's used for threat hunting, hunting, and, and, and allows you to create detection rules that then would fire, for example, an alert, if something like that happens.
So you could generate an alert, you could generate, you could generate an email that gets sent when, when something like that happens. And I will show you in the demo, a couple of those examples, another great tool is that we use for data analytics is, is OS query. And for those of you who haven't heard of OS query, it's an open source project that allows you in a SQL like way similar to database queries to query your different hosts and operating systems.
So you can query all your hosts for things like give me all the users that are on that host, or give me all the windows security patches that are on that host. And you can do that on the fly. And it's also fully integrated into elastic security, and that can be used for all kind of different things for, you know, vulnerability detection for compliance monitoring for incident investigations. If you have an incident and you need more information about the host, you can use that.
So, yeah, I already talked a lot about the underlying technology, and now I want to focus a bit more on the actual solution elastic security that is built on top of all the features that I mentioned before. So when talking about security, we don't think of something like a cm only solution. It's rather a lot more it's we started with a cm, but now it's, it's a lot more, it combines functionalities from cm, with functionalities, from EPP endpoint protection platform from EDR endpoint detection response for it's. It combines things from a threat hunting tool.
It combines things from, you know, security analytics platform and all of these things combined into one single data store with one unified experience, user experience, right? So this shows a bit how we started. We started with the cm and then we try and forces with end game, which is an endpoint solution endpoint security solution. And we wanted to integrate both of those words together. And that's something that we did with version seven, 14 that was released this August. So we have a general available product for cm, including endpoint detection response.
So you can do endpoint prevention, detection, prevention, and response in, in one platform. And that's what we call XDR extended detection and response. So I know in a security world, everybody loves a observations and XDR is another a observation. But what it really means is is you can detect response and, and, and no matter of which data you interest, right?
So, yeah, as I mentioned, we started as a cm and the cm is still the backbone of everything. So it's still the way where we store our data and where we store all the events that happen. But we thought that there has to be more, the cm can detect incidents, but we thought there has to be more, we, we also need to react to those incidents and we need to react to those alerts that we have. And that's why we combined it with endpoint security.
And also now with cloud security, because a lot of the devices are now moving to the cloud and we are not just talking about local endpoints like me, you know, windows devices, but also a lot of Linux cloud environments that we need to monitor. So most people still think of elastic as the best way to centrally store your security locks. And that's still true.
So it's, that's, that's still possible and it's still true, but we added a lot more to the last six tech within the last months and years. And, and two of these features are prevention. So you can now stop and attack before it happens, not just detected, but stop it actually with things like malware and ransomware prevention. And you can not only do prevention, but also respond to threats. And those are the things that I, I explained before you can do things like on demand, host inspection with OS query or remote host isolation.
So you can even take a host laptop offline if you detect something on that device and you can take it completely offline from the, from the system Question, how do you do this? How do you do the host isolation? So does the agent just prevent any other process from communicating with the outside and you still have the management connection available? Correct? Yeah.
So, so the question, yeah. So the question was how we do host isolation and the answer is yes, we, we can, we, can I, so the, the, the agent that runs on that machine is on has current level access, so it can block everything, but still keep a connection up and running with the management interface. So Continuously the orchestrator, if there is some command for him to execute on the local Platform. Yeah. We can still, we can still run commands on, on, on that isolated host and we can still take it back online, but it cannot communicate with anybody else on the network.
Is it kind push from the orchestration engine to the end or is it full from the end? So the regularly follow the orchestrator and check if there, if there are new commands or new things to do available, or I don't know, in which direction the communication flows in this cases. Okay.
But, but, but there is a B directional communication possible. Yeah. Okay. Yeah. On The, on the, on the host. All right.
So yeah, we can do it much more. We can do prevention, we can do response and of course, detection and most people think of elastic, sorry, sorry. In addition to this security solution, elastic is also has a big ecosystem, right?
So on the, on the left side, you can see the vendors that we, that provide data source integrations and enrichments into the stack. On the right side, you can see the outputs such as saw systems where we can connect to, or case management tools or ticket ticketing tools that we can connect to the stack.
And, and we shouldn't forget our community because this is where elastic comes from and where we still benefit a lot from There are three or four more slides before I will jump into the life demo. And one of them is my, so my attack is very important for me to mention.
It will also be shown during the demo, probably a lot have heard already of miter, but it's basically a knowledge base and de fact, a standard nowadays for characterizing threats and common into common tech tactics and techniques based on actual real world observations and all those tactics and techniques that are used for those attacks are categorized in the columns shown here, and elastic security uses this MI attack framework for our detection rules.
So you can basically map your detection rules on the Mitra attack framework to see how many of those tactics and techniques you have covered in your organization. And you can also use it for getting more information about a certain tactic and technique.
If, if an alert shows up, you can go into Mier and, and read more about that, or, or your Analyst can do that to, to get more information about a certain tactic and technique that's being used talking about the detection rules we elastic comes, shipped with more than 500 detect rules out of the box that can be just activated. They, most of them are annotated with the, my tactic that I showed you before. And these detection rules, they just get activated. And then if they are triggered, they send an alert either via email or via slack or via Ms. Teams or whatever you want. Yeah. Correct.
There are also a lot of additional detection rules available in the community if you're interested. And it's very, it's fairly easy to build your own detection rules using the equal the event query language that I showed you before with this authentication example, In addition to detection, we can also prevent, so we can do things like Melbourne and ransomware prevention. We participate also in monthly independent assessments and are certified for example, from AV comparative for yeah. Malva detection and response. And last but not least, we can also remediate things events.
So if you have your own internal case, we have our own internal case management tool. But if you use other tools like ServiceNow, we can integrate into these ticketing tools. So you can create the ticket if an event shows up and we can also do things like host isolation and OS query. So if you want to try these things out, you can do that yourself on demo elastic, or you can try it out on your own small cluster so that you can spin up and, or connect to us via slack or most important.
You can participate in the second part and participate in the CF, the capture, the flag workshop that we do in the second part of this, of this workshop. Alright. And with that being said, I will jump to the demo.
So, So Maybe it's, it's, it's obvious, but looking at, I have two things on, so one is you have so many, much information. Do you avoid that? Someone is really downloading all my data over it.
So it's, I mean, is the, the AP limiting, limiting the access? Cause I would be worried that some of my administrators just takes all the data and goes a bit. So what About the, or, So there are a few things to mention here. The first is role based access control, document level security, and field level security. So you can very fine level Check In. Yeah. You can define what access you want to give. And the other thing is you can do things like audit, logging, where you log access to certain events, if you need that.
And the third thing is you can also of course, decide where you want to host your data. If you want to host it on your, you know, on premise, if you want to host it in elastic cloud, if you want to host it on your own data center or wherever, just Come heard a couple of people having more or less an open system in, in, in the, as search. So that's something maybe we can discuss offline, but, but I think that's a standard password somewhere. I'm pretty sure you, you took care about that already. So there were some specific use cases where search databases were found openly in the internet.
I'm not aware of that. Yeah.
But yeah, That's, I mean, as you know, we are, we are, It's not, not personal, but just, I mean, we, we have of course, a lot of open, open source rules. We call ourselves open. We can do a lot, but Matthias just presented the basic tier, which is also for free, just can download it it, and you can do what you want with your passports. Right. And I think there's a default protection built in. So you would not be that alone with the, There is no two factor ation, like token, or Depends on where. So if you use elastic cloud, you can create a two factor authentication as well. Yeah.
Perfect. Yeah.
So I, I, it's not saying you just did something wrong, It's just, yeah. Yeah. Nice. I see That.
You, you collect so much information That's yeah. That's, that's an important topic. Yeah. If you collect a lot of information, you need to think a lot about how to store it securely. Yeah. I'm using it just in a test now, but using this production data, I see that you are powerful guys already. It's not that I say you Did One. It's Just, I Feel even we no go security space. You get even more relevant information. Cause if you know, who has locked into the system, for example, you can perfectly profile people, for example, when it's a work and so on and so on.
So the information you'll get rather dedicated. Yeah.
No, no. That's, that's, that's true. Yeah.
So, so always when you have a lot of information in a central place, it's always good to think about that's Especially looking information. Yeah. But It's really interesting. Cause I was unaware that you, you are going into this direction. Very interesting to see Yeah. The coming from search, but we figure that searches everything. We went to a logging of civility and now we are in the security area and we actually very serious. We just acquired our joined forces. As the Americans say, two smaller companies, filtering is one, we all the cloud.
So we are really serious regarding security. And perhaps eases you a little bit is that you really have absolutely the freedom where you install elastic. So we absolutely cloud agnostic. You can run it by, you can run itself, manage the cloud and of your choice. Or you can just give us the data that we manage it for you.
And, and we also do a separation of duties and we have all the needed certifications. The issue I see is that we still have kind to the silos.
I mean, I have my VPN network, which is saying you are here now I have my information, the access information, potentially the users doing something else. And, and what we really need is, is a complete picture of the Users. So we also have situations where we have many elastic search clusters in different locations. And then we use a thing called cross cluster search where we then can connect to multiple clusters and they still stay in their own region, but we can connect to multiple clusters and get the big picture at all.
And what I see, for example, Microsoft use case really concentrating into this infrastructure point, if you missing. And it's really interesting, but what you're doing, Thanks About the Jetta. I think there's a lot of responsibility. Yeah. Thank you. So let me jump into the demo. Yeah. You can already see my screen. Maybe I make it a bit bigger if it works.
Oops, sorry. So before I guide you through Keana and the security solution, I want to give you a bit of the background of what we will see in a minute. So this is all based on MI. I mentioned it before it's tactics and techniques, tactics and techniques collection, and was founded I think in 2013. So it collects all different tactics and techniques, but it also collects information about threat actors.
So groups, and in this demo, I will show you, we will look at a group called apt 28. So it's, it's a yeah, a Russian special for us unit. That's active since 2004. And allegedly also was, you know, compromising the Hillary Clinton campaign back then. It was also responsible for cyber attacks on the German parliament. So in 2014 or 15, the, the, the, the German parliament has to be taken offline because Deutche Bunda was attacked by this certain group. And what they use is different techniques, mostly related to spare fishing.
So you get an email and on this email, it, you know, there is a link to a Mel drop website, or there is a redirect to a website that then steals your credentials. And that's just a bit of a background information to the actual investigation we are doing now here. So I'm now in the role of a security Analyst for a university.
And they, they just saw that there are a lot of alerts coming up and I need to investigate those kind of alerts. So the first thing we can see here and an overview is that we have a lot of events collected from various sources. So from metric be file be and so on. So we have around 1.6 million events in here in this demo platform. And we are looking at a certain timeframe.
This is quite important for the CTF later, you can change the timeframe on top of here, we are looking at the timeframe on the 7th of February, 2021 for the CTF, you have a predefined timeframe, but if you change that it will, of course show you a complete different picture. So we are now looking at these 1.6 million alerts. And the first thing we can do is we can look at the rules. So I mentioned before elastic comes, shipped with 400 plus with 500 plus rules. So in here we have 480 rules that are, most of them are activated and generate an alert.
If something gets detected and these rules look like this. So here we have an example rule. This is for a LSS memory dump creation. So LS is the local security authority, subsystem service in windows. And if a memory dump of that gets created, we want to trigger an alert and you can see here that Mir attack annotation. So if you need to read more about this kind of detection you can do so by just clicking on the, the button and you, you end up in Miek to get more information and you can also see the actual alert, how it gets created in this case.
It just looks if a certain file with a name gets created. So quite simple, a lot, that's one way of doing that. Another way would be this here, we have another detection rule that does pretty much the same thing. It looks for an this memory dump, but in a completely different way. So it not only looks for a file being created, but also for a process that gets bonded with certain arguments and so on. So it's a more complex or more, yeah, sophisticated way of doing a similar thing.
And, and, and, and that's also using event correlation. So that's something you could build yourself if you need to create your own detection rules in the system, but let's look at what happened here. So I go to my alerts page and I can see, I have a couple of alerts over the last days or last hours. So I have here 26 alerts and quite different ones. And the first thing I want to show you is the timeline tool. So I can just drag and drop these alerts into my timeline on the bottom of the page, and it will filter for that.
And I think timeline is one of the best features of this whole solution, because it allows you to do things within a couple of seconds that you probably previously had to do spend hours for that. Yeah. So I can now create a filter for these three events, and it shows me the details of this alert with all the human readable way. So we can immediately see that this user on these machines started the process via PowerShell and so on. So why do I say a couple of hours? Because if you don't have this solution, you probably have to go to each of the hosts, you have to collect your data.
You have to, you know, filter that data. You have to pass it first because they're all different and not normalized. You have to pass it and then you have to filter it and bring it in a human readable way. And that's what it does here automatically. So depending on the kind of event that you see, so this is a process creation event. This is a file creation process start, and this is file creation event, depending on that we have different renderers and you can see the line differently to give it to, to, to make it really easy for the Analyst to read what happened.
And what we can also do is we can save that timeline to find it later. So I just give it a name first analysis, and I can save it. And of course I can edit to our internal case management tool so we can create a new case for that because we are starting our investigation now. And in this case, we don't know what happened. So I just unknown alert. I just give it a name. I can give it a description. I can even use mark mark here, so I can do all the documentation of my case here and click create case.
And that's a very good way for documenting your investigation, but also collab collaborating within, within the Analyst teams. Alright, in addition to our internal tool, we can also connect to external case management tools. So we have, we have a couple of connectors available. So if your user usually use your Chira or ServiceNow or swim lane, you can just connect it up here and it will then generate a ticket in your external tool if you used to that. But now let's maybe go back to the actual investigation.
So we have seen a couple of alerts here and at the first alert, I want to show you some details is maybe the Melva alert. So there is one Melva detection alert here, and to get more information about what actually happened here, I can feel the details and the details is all the information we have for that certain alert, let me get rid of this. And we can see that in a chasing view or in a table view. And it's really a lot of information. So it's from when the process was started, what started the process and so on and on.
And for me, the great thing about the security tool is we can also see all of this information that is shown here in a graphical way. And it just helps you to get a, a picture of what happens in seconds instead of scrolling through all that stuff.
So know, my internet is a bit slower. Question was for mal, do you have actual agents as well? Is this based on other security, power suites and collecting the log and driven that?
Yeah, so we have elastic agent available on the machine and in general, these kind of malware detection alert could have been prevented already on the agent. In this case, we let it run because otherwise we wouldn't have a demo, but yes, we have agent and yes, you can already just For, for long peer retention for, For, for endpoint protection, for, for malware and ransomware protection. Yep. So what I said, you can get a picture within a few seconds rather than having to scroll through all these different logs.
And you can see on one glance, that windows words started in office update, which again, started a couple of other processes and yeah, windows words, starting an office. Updater doesn't really sound fishy to me, but office updates, starting Rubio's Excel sounds a bit more fishy for those of you who, who haven't heard of. Rubio's Excel, it's a tool used Caba roasting and Caba roasting again, is an attack that is used to steal credentials in windows environments.
And, and this was probably sent via email, you know, started windows ver starting this process and then rubs actually fetched the windows credentials of high privilege privileged accounts in the, in the, in the, in the network. And we can see this within a couple of seconds. And when we click on, on those processes, we can see the details. So Forbis Excel, we can actually see that the arguments it was started with. So it was started with a BR force argument. It was started with SQL SVC. This is the user that they tried to crack the password from, and it was started with a password list.
So in this case, it fetches the cabs ticket from that it gets from active directory FES. The ticket tries to crack the, the ticket, the pass the user, and with a password list on, on the machine itself. So you can do it offline cracking or online cracking, cracking. In this case, it was actually cracked on, on site. So this malicious process got started. What else can we see here? We can see, there are a couple of network events here. There are a couple of files. We can click on the files to see what this reveals execute accessed. And one of those files is thing called S SQL SVC dot Kirby.
So K is this cab ticket that I mentioned that they tried to crack? Yeah, let me get out of this analyzer. So we know that Rubo Excel is responsible. And the next thing is we want to see more about this Rubo so we can again, use our timeline for that and get rid of this. And one way to do so is we can just add here to our table. We can add the process name so we can add as much information as we need, or as we are interested in to this table, I will add the process name to see hopefully the rubs Excel, and here we can see it from this Mel lot.
And we can also just drag and drop that into our timeline to get more information of that. Okay. So here we see now we filter for let's maybe remove the other filters. So now we just filter for Rubio's. We can filter for something else here. We can just filter for windows 10 for the host name, if we want to. So we can drag and drop that in. And we have a time filter a time, a timeline that is built for Rubios Excel and windows 10 to analyze what happened. And we can, we can see, we can see more details and network events being generated here.
All right, in the sake of time, I will, I will close this. I will not do the whole investigation that we would would do to investigate such an event, but show you just a couple of things.
So, one other thing is at the end of this investigation, we would probably see this who I process and the who I process is usually used by attackers to find out what the privileges they have so that we can see here that they use PowerShell and executed, who am I do Excel. And when clicking on who am I do XE, we can see that it runs under credentials of student D ADM. So the attacker eventually got D ADM in this case, on this environment stands for domain administrator. So in the end, the attacker got actually domain administrator rights here.
And we, we, we can see that as well in this case, Eliza. So last thing I want to show you is that one, one thing I mentioned at the beginning, you can actually use every feature of the elastic stack. And right now we only, we looked at alerts, we looked at rules, we looked at timeline and case tools, but this is all in the security solution. And you have all your solutions available here. So in some cases it makes sense to switch between those solutions. And one of the standard things that we have is Keana, and we have analytics there.
So we can actually create, use that for our investigation purpose. And one thing to do so is using Umana lens. So we can create a visualization with lens. And I just like lens because it's super easy to use. It's basically just a drag and drop and you have your visualization, and it's also very helpful during investigations. So in this case, we look at our locks index pattern, and we can just drag and drop certain fields in here. So if we are interested in, I dunno, let's say the host IP address, we can just drag and drop this in here.
And we can see in this timeframe, which hosts were active and the distribution of the IP addresses. So here I get the top five IP addresses and I can, I can immediately see them. And I can also change the, the, the style here.
And, and I can add additional things. Like, I don't know, another field, let's take the network protocol maybe, and you can see each host that we have, which network protocols they used. And that's quite simple tool, which will also help you during the CTF if you want to participate. But let me quickly recap what we saw. So we now know that the cab thing was used. It is a tool to get steel credentials of a service account. We detected that the attacker actually got domain administrative, right.
We saw how you can create detection, rules, what kind of detection rules we have, how the alerts look like. We saw timeline, tool, case management, internal, and external tools and yeah, everything powered by Mitra tech framework. And yeah. And in the end, also a visualization tool, how you can use Keyana lens to help you during your investigation. Yeah. I think that's pretty much it. I want to show you, I hope it was an interesting example. If you have any questions I'm here and if not, I hope you want to participate in the second part.
Can No, you need, you need to have a laptop for that. Yeah. It's probably not very good to run on a mobile. Yeah. Yeah. If you cannot try in today, maybe we can find some other slots where you can yeah. Some questions. We certainly find someone.
Okay, cool. Some questions from, from the audience. Yeah. Have you thought about using dislike? Like There are a lot of external, you know, there are a lot of people using us in the open community and also in, on the commercial side. And there are, there are definitely projects that use us as a honeypot system. Yeah. Because that's exactly what, what I always wanted to try having something AI style, like, like a center approach, understanding technical system ING. Yeah.
I, I have read about projects where, where they use elastic tech as the underlying technology for building, building a honeypots. Yeah. That's really interesting Phil. Yeah.
That, that really very amazing presentation. I'm really surprised. Cause I always, I think about lesson search, I always think about databases. And I think that from his per, from his presentation was quite clear that this is a little bit of our story. The roots are search. You can search data, you can start searching meter data, like lock files, performance, data, and metrics. And then you say, okay, I cannot just search media data on, on the regular stuff. I can also see the, the exempt, the, the bad stuff.
So, and this is why we went into security and we have mainly driven in the past by, by the open source community. So that's, we are roots are still open, right.
And, and a lot of the stuff you see here, we actually can do with a basic additional already. So this is the first time even endpoint protection on, on the, on the device, which you can run in the, in the free tier in the, in the basic tier of course we would like to sell you the platinum more gold editions or even enterprise of course.
But again, security is, is, is also in the basic tier. Yeah. Have the possibility to, to lock the communication as well. So the idea would be just a web service.
The, and I would be not only interested in locks, but HDT Content the packets. Yeah. Yeah.
We have, we have different beats. One of which is file beat that would collect the locks. We have metric be to collect the metrics and we have also packet beat that collects network data. Yeah. And so I provide you the key to the HBS key and you would be even able to, to lock the communication. You mean to decrypt the HS connection with the that's Technically that's Possible. But I trust by to understand if you access, use case in mind, or if you say it Doesn't make sense.
No, I mean, you can definitely collect HT traffic. Yeah. Okay. With packet B For the next step cause specific systems, the difficult to meet more interested, Shall we use that? Sorry. Maybe for the virtual audience, I have some, some systems with lock files, which are not really meaningful.
And, and my idea would be to, to lock the, the user data to really see what the user is, is seeing. Okay. And then to, to use your, your database for, for this HTTPS 12, perhaps I turn your question around and, and asking you something, because we see that observability is a wide spectrum. It's called end-to-end monitoring. We have some synthetic, we have real user monitoring. We have application performance monitor monitoring. So we have all the observability discipline as well. Right. So here we, we are in the security environment, we security leadership summit. Right. Okay.
We talk about security stuff. So you, you have something exactly. We have the same technology, which materials just showed the agent and the fleets and, and the beat, the, the fleet agent is exactly the same technology we develop for, for normal logging application, performance monitoring stuff. So NBC emerge in the near future of security disciplines together with, with monitoring and observability. Yeah. Yeah. But the point is you, you already lock application H DPSS traffic as well.
We, we are, if I want to, oh Yeah. You can we package bits you. Yeah. Perfect. Because that's what I, We don't call that security. We call this observability in APM and user monitoring and synthetic and all this, this is a different discipline, but my team is also ready to support you in this, this kind of regard.
So, Yeah. Interesting. So I definitely have to update myself. Yeah. Yeah. Thanks. Thank you. Any other questions? If nothing else, then I would say we make a quick break and start at two 15 for the second part. And thanks for your attention. Welcome to the second part of this workshop. Your CTF. I will start with a quick introduction, 15 minutes to give you a bit of a details around CTF. And then I will start CTF for you and you have one hour to complete. And after that, we have a small awards ceremony. So there are some awards for, for the first three winners. How does the city F work?
You have 30 challenges to solve. Each challenge gives you 10 points. There are optional hints that you can take, but they cost you five points per challenge in it looks like this. So this is the first challenge. And when you click on it, you see the details that you have to fulfill and reflect that you have to submit. So you have to just have to enter your flag here, click submit. And if you want to you, one of the hints, you click the few hint button. There are a couple of hints, especially the first ones that are for free.
If the hint costs five points, it will be mentioned in, in here as well. So you will see it before you give up your five points. So 30 challenges, 10 points, each five points minus four, and hint, and you must solve the challenges one by one. So the next one is activated. As soon as you, as, as one of them is finished, the top three will win. So if there are, you know, people having the same points, then we will take the first, the, the people that got there first. And I can also give you access to the CTF after the hour.
So after one hour, we'll pause it to, to, to name all the finalists, but I will reactivate it after, after that. So if you want in the evening or later today, or tomorrow, you can finish your challenges.
If you, if you don't manage it in time, alright, you will need some things during the challenge, like the time picker or the timeline tool that I showed during the, during the demo before. And yeah, if you see some of the warnings, ignore them. So there might be some warning there because the whole cluster that you're using is read only mode. So there might be some warnings. You can probably imagine why we had to put it in read only mode during the, the, the CTF. So as ignore the warnings, I will show the, the scoreboard during the CTF.
And yeah, I think that's about it. Is anyone here that already participated in a CTF or already did the CTF because you are free to try it again, but if you do so, please let me know.
We can, so we can make it fair for everybody, especially for the, for the winners. So if you already participated, just let me know in the chat or, or here, alright, then I'll show you how it works. So you have to open two URLs. One of them is Keana. As soon as you open it, you'll see four different spaces. So in Keana, we have spaces that just group together, certain objects and dashboards, and you step into a role of a managed service provider. So you work for four companies that are shown here. So you have your elastic shield, SOC little farmers with crypto and three BS.
These are three, four companies that you work for. And the first couple of CTF challenges are for the first company. Second one for the second company.
And so on, it will be all mentioned in the CTF challenge itself. So just a bit of the background info. You work for an MSP and you have challenges for different companies that you have to fulfill. You need to open two tabs. One of them is ki where you can do all the analysis. And one of them is our CTF challenge board, where you get the, the actual, you know, challenge, the hint, if you need one and where you can submit your, your flag to participate, you need to register with a username, email, and password. So username, you can choose whatever you want.
Just know that it will be shown on the scoreboard. You don't have to use your real name. Email is not validated. It's just important to have it in case you win, because then we want to send you the price. So in this case, we, I suggest to use the real one and password, whatever you want, when you log in, it looks like this. You have the challenge you click on on the challenge.
You see, sorry, you see the, the challenge itself. You see the hint button where you can get a hint, if you want to, and you can submit your flag. If there's nothing mentioned next to few hint, then it's for free. If it costs five points, then it will be mentioned here in, in brackets. After few hint, the second tab will open is Keana. And for logging into Keana, you need to click the first, the first button and enter the username and password. I will tell you in a minute, Click login.
That's pretty much it, any questions so far, if not, I will share the locking details with you on the next slide. And you can already log in after that. I will pause the CDF right now. It's in pause mode. So you cannot, you cannot submit any flags. Yeah. Any questions? Nope. All right, then this is the, this is the, the link. I'm not sure I will copy it to the, sorry. I will also copy it to the chat. Nope. Yeah.
That's, it's bad from the presentation mode, but let me go to this one. So that's the link for, for Keana and that's username and password, and that's late for the, okay. So this is, so the left side here is Keana. You enter with this link and with the username and password. So this is ELA dot slash E minus sec, minus CTF minus and that's username and password. And on the right side, you have your CTF D access with this site password here. So those two tabs you need to open and log in. I will also post it in the chat to you or have the links. Yeah. Okay. I'll leave it open for a minute.
And then I will start the actual CTF. Okay. Then I will just start the actual CTF and that's about it. And I will set the time. So you have until 1536 to complete, to complete your challenges.
So 1536, we will stop. And then we will do the closing ceremony. I've pause the CTF now for everybody and would like to give me one or two minutes. And then I will announce the, the winners after that, I will, I can reactivate the CTF. So in case you want to finish your challenges, I can give you up till today and evening or even tomorrow. So you can work on the challenges, but I just pause it right now. So you cannot submit anything right now until IPOs it. So I'm back in, in, in, in a minute or two. Okay. So yeah. Thank you for participating in the CTF. I hope you learn something.
I hope you found it. Interesting. Had some fun, not just frustration. And I want to congratulate our three winners. To be honest, we have four. The third rank is Stephan and Fama. They score the exact same number. I need to actually check who was first, but you both score the same number. So congratulations. Second place is PK and the winner is PAC. So very well done. Congratulations to the winners. We will send the prices to you. I hope you gave the right email addresses so we can contact you.
And yeah, if you have any questions, feel free to connect to us, come to connect us via LinkedIn or other ways. And yeah, wish you. Nice afternoon. Thank you.
