SlideShare a Scribd company logo

Security Events Logging at Bell with the Elastic Stack

Elasticsearch
Elasticsearch

One of Canada’s largest telecommunications company is using Elastic to drive improved security analysis in their SOC. With a need to ingest all security logs, build threat detection models, and normalize many new types of logs, the Bell security team turned to Elastic. Learn how they’ve streamlined alerts, deepened log analysis, and addressed challenges unique to being an ISP.

1 of 48
1 Sylvain Proulx Mathew Vandystadt October, Date, 2018 Security Events Logging at 

2 Sylvain Proulx 18 years in security Senior Security Manager Who are we Mathew V. 5 years in security Security Specialist Software Engineer
3 Our Mission • Ingest all security logs • Enrich, normalize, analyze, and contextualize • Automation • Build threat model detection • Visualize security data
4 What’s going on Our current challenges
5 Volume of logs keeps increasing Challenges Normalization of many new types of logs No one stop solution for our needs STOP
6 More data means more alerts Challenges Limited amount of analysts Limited detection mechanism
7 Challenges Share logs between different branches Own our security data Secure the data
8 An in-depth look at our solution Building our Pipelines
9 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
10 Where Our Data Comes From • Bare metal servers • Virtual machines • Containers 1 2 3 4
11 Requirements For Our Log Shippers • Simple way to ship logs • Something that can buffer logs in case of outage • Something that’s lightweight, but gives us the possibility to perform light filtering at the source • Something uniform throughout our fleet • Automated deployment capability 1 2 3 4
12 Filebeats and Winlogbeats • Generic beats configuration per service logged • Simple installation and configuration • Minimal impact on systems • No loss of data in case of network outage 1 2 3 4
13 Adding Beats to Our Architecture Diagram 1 2 3 4
14 Being an ISP • Large quantity and variety of network devices • Unique ISP applications • Logs also come from security devices • Network devices can be very chatty 1 2 3 4 Different data sources to consider that other businesses don’t
15 What If Beats Can’t Handle Special Cases? • Most of the devices send logs only via syslog • Losing data is not an option • Need to receive data from geographically diverse locations 1 2 3 4
16 Rsyslog • Adding Rsyslog servers close to data sources • Acts as buffer • Basic parsing and serialization in JSON of logs with Rsyslog • Send logs to our security data center in TCP and minimize the risk of data loss 1 2 3 4
17 Adding Rsyslog to Our Architecture Diagram 1 2 3 4
18 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
19 Incoming Logs • All logs are serialized in JSON • The ability to sustain large spikes of traffic without over provisioning • Buffer data allowing for higher availability • Data accessible to multiple consumers 1 2 3 4 Our past experiences and requirements
20 Kafka as Our Message Queue • Kafka allows us to handle spikes of logs • Provide data buffering for potential downstream issue • Provide controls to share data securely across other teams using open formats • Kafka supports JSON out of the box • Rsyslog and Beats can write to Kafka 1 2 3 4 Our past experiences and requirements
21 Adding Kafka to Our Architecture Diagram 1 2 3 4
22 Parsing and Normalizing • Use resources efficiently by taking advantage of auto-scaling • Every unique technology requires it’s own set of configuration for parsing and normalization • Needs integration of CI/CD for ease of test and deployment 1 2 3 4 Our past experiences and requirements
23 Logstash on Openshift • We decided to run all our logstash instances on openshift • Containers consumes less resources than multiple virtual machines • We get auto scaling through openshift • We can scale quickly by adding more nodes if needed to our openshift cluster. 1 2 3 4 Logstash containers
24 Adding Openshift and Logstash to Our Architecture Diagram 1 2 3 4
25 Logstash on Openshift • Centralize configurations in Gitlab • Gitlab allows us to create CI pipelines quickly • Run Logstash configurations through rspec for testing • Review and deploy to production on merge requests • Openshift provides the ability to build CD pipelines 1 2 3 4 Logstash CI/CD
26 Adding CI/CD to Our Architecture Diagram 1 2 3 4
27 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
28 Log Storage • Most the searching is going to be done the same day • Documents need to be easily searchable for the previous 90 days • Horizontal scalability • Highly available and redundant data 1 2 3 4 Our past experiences and requirements
29 Log Storage • No real surprise, we store our logs in elasticsearch • Implementing the Hot-Warm architecture provides the best solution to meet our requirements • Our process allows for automated deployment of new nodes • Elasticsearch provides the required HA and redundancy 1 2 3 4 Elasticsearch
30 Adding Elasticsearch to Our Architecture Diagram 1 2 3 4
31 Long-Term Data Retention • For forensic and legal issues, data needs to be stored for a minimum of 12 months • Needs to be stored outside of the elasticsearch cluster • Fast retrieval of data in the existing elastic cluster • Minimize cost for long-term storage solution 1 2 3 4 Our past experiences and requirements
32 Long-Term Data Retention • Openstack Swift allows us to store our index snapshots in object storage • Reusability of S3 snapshot plugin from elasticsearch • Acceptable retrieval times • Use of curator to automate snapshots 1 2 3 4 S3 object storage
33 Adding S3 Storage to Our Architecture Diagram 1 2 3 4
34 Securing Data • Control over who has access to the data • Ease of RBAC management • Add layer of encryption over data transportation • Use of existing and tested solutions 1 2 3 4 Our past experiences and requirements
35 Adding X-Pack to Our Architecture Diagram 1 2 3 4
36 Building One Piece at a Time End to end solution Logging 1 3 42 Data engineering Log storage and long term retention Visualization and alerting
37 Handling and Visualization Our Data • Easy front-end to query logs • Reusable query • Ability to meaningfully visualize data • Front-end that’s used by a wide range of security specialists ‒ Analysts ‒ Threat hunters ‒ Data scientists Our past experiences and requirements 1 2 3 4
38 Adding Kibana to Our Architecture Diagram 1 2 3 4
39 Alerting on Security Events • Need to filter on meaningful security events • Ease of building and deploying detection rules • Automate deployment • Easily track life cycle of rules Our past experiences and requirements 1 2 3 4
40 Alerting on Security Events • Simple way of writing queries • Use of YAML text files solves maintainability issues with version control tools • Auto deployment through CI/CD tools tied to version control Elastalert 1 2 3 4
41 Adding ElastAlert to Our Architecture Diagram 1 2 3 4
42 Smart Detection • Data must be easily accessible • Develop custom machine learning models • Automated deployment of machine learning models • Flexibility in using different algorithms Our past experiences and requirements 1 2 3 4
43 1 2 3 4 Smart Detection In-house machine learning • Models developed with open source, ML centric libraries • Deployment pipeline from data scientists to production
44 Adding Machine Learning to Our Architecture Diagram 1 2 3 4
45 Security Event Correlation • Ability to correlate security events • Ability to write complex rules • Simple front end to help our analysts • Central point for alerting Our past experiences and requirements 1 2 3 4
46 Security Event Correlation • Provides one of the best correlation engines for security events • Allows for aggregation, correlation, trending, and more • ESM provides a GUI and it’s a well known product throughout Bell security teams • Can receive and send data to multiple sources Arcsight 1 2 3 4
47 Adding Arcsight to Our Architecture Diagram 1 2 3 4
48 Today’s Situation With Elastic • Elastic allows for horizontal scaling to support constant increase of log volume • Elastic allows for simple integration with open security protocols • Elastic’s X-Pack solution provides a built-in secure data environment • New architecture using elastic allows us to build more detection mechanism using different techniques Where we at STOP 1 2 3 4
Ad

Recommended

Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackSiscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Elasticsearch
 
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
American Ancestors Use Case - Scalability & Support Using the Elasticsearch S...
Elasticsearch
 
Log Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNLLog Monitoring and Anomaly Detection at Scale at ORNL
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
Elastic at KPN
Elastic at KPNElastic at KPN
Elastic at KPN
Elasticsearch
 
How KeyBank Used Elastic to Build an Enterprise Monitoring Solution
How KeyBank Used Elastic to Build an Enterprise Monitoring SolutionHow KeyBank Used Elastic to Build an Enterprise Monitoring Solution
How KeyBank Used Elastic to Build an Enterprise Monitoring Solution
Elasticsearch
 
Improving search at Wellcome Collection
Improving search at Wellcome CollectionImproving search at Wellcome Collection
Improving search at Wellcome Collection
Elasticsearch
 
Elastic @ John Deere
Elastic @ John DeereElastic @ John Deere
Elastic @ John Deere
Elasticsearch
 
Achieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impactAchieving cyber mission assurance with near real-time impact
Achieving cyber mission assurance with near real-time impact
Elasticsearch
 
Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic
Elasticsearch
 
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and MoreMachine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic StackEmpower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & SpiritsBetter Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Elasticsearch
 
Capgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch governmentCapgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch government
Elasticsearch
 
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log AnalyticsElastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elasticsearch
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
Elasticsearch
 
Countering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARLCountering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
What’s Evolving in the Elastic Stack
What’s Evolving in the Elastic StackWhat’s Evolving in the Elastic Stack
What’s Evolving in the Elastic Stack
Elasticsearch
 
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Elasticsearch
 
Infrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insightInfrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insight
Elasticsearch
 
Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box
Elasticsearch
 
The Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management SystemThe Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management System
Elasticsearch
 
Elastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with DevonElastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with Devon
Elasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ
Elasticsearch
 
CSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic StackCSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
Artik cloud deview 2016
Artik cloud deview 2016Artik cloud deview 2016
Artik cloud deview 2016
NAVER D2
 
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFBMonitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Elasticsearch
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Alessandro Gallotta
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 
Ad

More Related Content

What's hot (20)

Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic
Elasticsearch
 
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and MoreMachine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic StackEmpower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & SpiritsBetter Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Elasticsearch
 
Capgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch governmentCapgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch government
Elasticsearch
 
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log AnalyticsElastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elasticsearch
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
Elasticsearch
 
Countering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARLCountering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
What’s Evolving in the Elastic Stack
What’s Evolving in the Elastic StackWhat’s Evolving in the Elastic Stack
What’s Evolving in the Elastic Stack
Elasticsearch
 
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Elasticsearch
 
Infrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insightInfrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insight
Elasticsearch
 
Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box
Elasticsearch
 
The Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management SystemThe Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management System
Elasticsearch
 
Elastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with DevonElastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with Devon
Elasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ
Elasticsearch
 
CSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic StackCSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
Artik cloud deview 2016
Artik cloud deview 2016Artik cloud deview 2016
Artik cloud deview 2016
NAVER D2
 
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFBMonitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Elasticsearch
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 
Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic Turning Evidence into Insights: How NCIS Leverages Elastic
Turning Evidence into Insights: How NCIS Leverages Elastic
Elasticsearch
 
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and MoreMachine Learning for Anomaly Detection, Time Series Modeling, and More
Machine Learning for Anomaly Detection, Time Series Modeling, and More
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic StackEmpower your security practitioners with the Elastic Stack
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & SpiritsBetter Search and Business Analytics at Southern Glazer’s Wine & Spirits
Better Search and Business Analytics at Southern Glazer’s Wine & Spirits
Elasticsearch
 
Capgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch governmentCapgemini: Observability within the Dutch government
Capgemini: Observability within the Dutch government
Elasticsearch
 
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log AnalyticsElastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elasticsearch
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
Elasticsearch
 
Countering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARLCountering Threats with the Elastic Stack at CERDEC/ARL
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
What’s Evolving in the Elastic Stack
What’s Evolving in the Elastic StackWhat’s Evolving in the Elastic Stack
What’s Evolving in the Elastic Stack
Elasticsearch
 
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Elasticsearch
 
Infrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insightInfrastructure monitoring made easy, from ingest to insight
Infrastructure monitoring made easy, from ingest to insight
Elasticsearch
 
Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box Building a reliable and cost effect logging system at Box
Building a reliable and cost effect logging system at Box
Elasticsearch
 
The Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management SystemThe Elastic Evolution of CenturyLink’s Network Management System
The Elastic Evolution of CenturyLink’s Network Management System
Elasticsearch
 
Elastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with DevonElastic Cloud Enterprise in Azure with Devon
Elastic Cloud Enterprise in Azure with Devon
Elasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ Transformational Search Performance with EnergyIQ
Transformational Search Performance with EnergyIQ
Elasticsearch
 
CSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic StackCSX: Real-time Business Discovery with the Elastic Stack
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
Artik cloud deview 2016
Artik cloud deview 2016Artik cloud deview 2016
Artik cloud deview 2016
NAVER D2
 
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFBMonitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB
Elasticsearch
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 

Similar to Security Events Logging at Bell with the Elastic Stack (20)

Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Alessandro Gallotta
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 
Databricks clusters in autopilot mode
Databricks clusters in autopilot modeDatabricks clusters in autopilot mode
Databricks clusters in autopilot mode
Prakash Chockalingam
 
Manging Container Deployments at Scale
Manging Container Deployments at ScaleManging Container Deployments at Scale
Manging Container Deployments at Scale
Mofizur Rahman
 
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleIstio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
Redis Labs
 
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
DataScienceConferenc1
 
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
InfluxData
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
Sysdig
 
GPA Software Overview R3
GPA Software Overview R3GPA Software Overview R3
GPA Software Overview R3
Grid Protection Alliance
 
detection pptx siem analyst security for understanding
detection pptx siem analyst security for understandingdetection pptx siem analyst security for understanding
detection pptx siem analyst security for understanding
MuhammadAriSetiawan2
 
GraphTour - Neo4j Database Overview
GraphTour - Neo4j Database OverviewGraphTour - Neo4j Database Overview
GraphTour - Neo4j Database Overview
Neo4j
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
Phase2 -ESA capstone project work final year
Phase2 -ESA capstone project work final yearPhase2 -ESA capstone project work final year
Phase2 -ESA capstone project work final year
ÑïshĶãrsʜ Shäh
 
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
Building a Hybrid Cloud Solution
Building a Hybrid Cloud Solution Building a Hybrid Cloud Solution
Building a Hybrid Cloud Solution
Cloudian
 
Ibm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_CapabilitiesIbm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_Capabilities
IBM_Info_Management
 
Closer Look at Cloud Centric Architectures
Closer Look at Cloud Centric ArchitecturesCloser Look at Cloud Centric Architectures
Closer Look at Cloud Centric Architectures
Todd Kaplinger
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Alessandro Gallotta
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 
Databricks clusters in autopilot mode
Databricks clusters in autopilot modeDatabricks clusters in autopilot mode
Databricks clusters in autopilot mode
Prakash Chockalingam
 
Manging Container Deployments at Scale
Manging Container Deployments at ScaleManging Container Deployments at Scale
Manging Container Deployments at Scale
Mofizur Rahman
 
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleIstio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
Redis Labs
 
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
[DSC Europe 23] Muhammad Arslan - A Journey of Auditlogs from Kafka to Elasti...
DataScienceConferenc1
 
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
David Henthorn [Rose-Hulman Institute of Technology] | Illuminating the Dark ...
InfluxData
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
Sysdig
 
GPA Software Overview R3
GPA Software Overview R3GPA Software Overview R3
GPA Software Overview R3
Grid Protection Alliance
 
detection pptx siem analyst security for understanding
detection pptx siem analyst security for understandingdetection pptx siem analyst security for understanding
detection pptx siem analyst security for understanding
MuhammadAriSetiawan2
 
GraphTour - Neo4j Database Overview
GraphTour - Neo4j Database OverviewGraphTour - Neo4j Database Overview
GraphTour - Neo4j Database Overview
Neo4j
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
Phase2 -ESA capstone project work final year
Phase2 -ESA capstone project work final yearPhase2 -ESA capstone project work final year
Phase2 -ESA capstone project work final year
ÑïshĶãrsʜ Shäh
 
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
Building a Hybrid Cloud Solution
Building a Hybrid Cloud Solution Building a Hybrid Cloud Solution
Building a Hybrid Cloud Solution
Cloudian
 
Ibm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_CapabilitiesIbm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_Capabilities
IBM_Info_Management
 
Closer Look at Cloud Centric Architectures
Closer Look at Cloud Centric ArchitecturesCloser Look at Cloud Centric Architectures
Closer Look at Cloud Centric Architectures
Todd Kaplinger
 
Ad

More from Elasticsearch (20)

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
Ad

Recently uploaded (20)

ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
Toru Tamaki
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Build With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdfBuild With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdf
Google Developer Group - Harare
 
Understanding SEO in the Age of AI.pdf
Understanding SEO in the Age of AI.pdfUnderstanding SEO in the Age of AI.pdf
Understanding SEO in the Age of AI.pdf
Fulcrum Concepts, LLC
 
Building Connected Agents: An Overview of Google's ADK and A2A Protocol
Building Connected Agents: An Overview of Google's ADK and A2A ProtocolBuilding Connected Agents: An Overview of Google's ADK and A2A Protocol
Building Connected Agents: An Overview of Google's ADK and A2A Protocol
Suresh Peiris
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
DNF 2.0 Implementations Challenges in Nepal
DNF 2.0 Implementations Challenges in NepalDNF 2.0 Implementations Challenges in Nepal
DNF 2.0 Implementations Challenges in Nepal
ICT Frame Magazine Pvt. Ltd.
 
Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?
Eric Torreborre
 
Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
accessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electricaccessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electric
UXPA Boston
 
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
UXPA Boston
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Cybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft CertificateCybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft Certificate
VICTOR MAESTRE RAMIREZ
 
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
SOFTTECHHUB
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Alan Dix
 
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
UXPA Boston
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
論文紹介:"InfLoRA: Interference-Free Low-Rank Adaptation for Continual Learning" ...
Toru Tamaki
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Build With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdfBuild With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdf
Google Developer Group - Harare
 
Understanding SEO in the Age of AI.pdf
Understanding SEO in the Age of AI.pdfUnderstanding SEO in the Age of AI.pdf
Understanding SEO in the Age of AI.pdf
Fulcrum Concepts, LLC
 
Building Connected Agents: An Overview of Google's ADK and A2A Protocol
Building Connected Agents: An Overview of Google's ADK and A2A ProtocolBuilding Connected Agents: An Overview of Google's ADK and A2A Protocol
Building Connected Agents: An Overview of Google's ADK and A2A Protocol
Suresh Peiris
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
DNF 2.0 Implementations Challenges in Nepal
DNF 2.0 Implementations Challenges in NepalDNF 2.0 Implementations Challenges in Nepal
DNF 2.0 Implementations Challenges in Nepal
ICT Frame Magazine Pvt. Ltd.
 
Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?
Eric Torreborre
 
Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
accessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electricaccessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electric
UXPA Boston
 
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
UXPA Boston
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Cybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft CertificateCybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft Certificate
VICTOR MAESTRE RAMIREZ
 
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
OpenAI Just Announced Codex: A cloud engineering agent that excels in handlin...
SOFTTECHHUB
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Who's choice? Making decisions with and about Artificial Intelligence, Keele ...
Alan Dix
 
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
Longitudinal Benchmark: A Real-World UX Case Study in Onboarding by Linda Bor...
UXPA Boston
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 

Security Events Logging at Bell with the Elastic Stack

  • 1. 1 Sylvain Proulx Mathew Vandystadt October, Date, 2018 Security Events Logging at 

  • 2. 2 Sylvain Proulx 18 years in security Senior Security Manager Who are we Mathew V. 5 years in security Security Specialist Software Engineer
  • 3. 3 Our Mission • Ingest all security logs • Enrich, normalize, analyze, and contextualize • Automation • Build threat model detection • Visualize security data
  • 4. 4 What’s going on Our current challenges
  • 5. 5 Volume of logs keeps increasing Challenges Normalization of many new types of logs No one stop solution for our needs STOP
  • 6. 6 More data means more alerts Challenges Limited amount of analysts Limited detection mechanism
  • 8. 8 An in-depth look at our solution Building our Pipelines
  • 9. 9 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
  • 10. 10 Where Our Data Comes From • Bare metal servers • Virtual machines • Containers 1 2 3 4
  • 11. 11 Requirements For Our Log Shippers • Simple way to ship logs • Something that can buffer logs in case of outage • Something that’s lightweight, but gives us the possibility to perform light filtering at the source • Something uniform throughout our fleet • Automated deployment capability 1 2 3 4
  • 12. 12 Filebeats and Winlogbeats • Generic beats configuration per service logged • Simple installation and configuration • Minimal impact on systems • No loss of data in case of network outage 1 2 3 4
  • 13. 13 Adding Beats to Our Architecture Diagram 1 2 3 4
  • 14. 14 Being an ISP • Large quantity and variety of network devices • Unique ISP applications • Logs also come from security devices • Network devices can be very chatty 1 2 3 4 Different data sources to consider that other businesses don’t
  • 15. 15 What If Beats Can’t Handle Special Cases? • Most of the devices send logs only via syslog • Losing data is not an option • Need to receive data from geographically diverse locations 1 2 3 4
  • 16. 16 Rsyslog • Adding Rsyslog servers close to data sources • Acts as buffer • Basic parsing and serialization in JSON of logs with Rsyslog • Send logs to our security data center in TCP and minimize the risk of data loss 1 2 3 4
  • 17. 17 Adding Rsyslog to Our Architecture Diagram 1 2 3 4
  • 18. 18 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
  • 19. 19 Incoming Logs • All logs are serialized in JSON • The ability to sustain large spikes of traffic without over provisioning • Buffer data allowing for higher availability • Data accessible to multiple consumers 1 2 3 4 Our past experiences and requirements
  • 20. 20 Kafka as Our Message Queue • Kafka allows us to handle spikes of logs • Provide data buffering for potential downstream issue • Provide controls to share data securely across other teams using open formats • Kafka supports JSON out of the box • Rsyslog and Beats can write to Kafka 1 2 3 4 Our past experiences and requirements
  • 21. 21 Adding Kafka to Our Architecture Diagram 1 2 3 4
  • 22. 22 Parsing and Normalizing • Use resources efficiently by taking advantage of auto-scaling • Every unique technology requires it’s own set of configuration for parsing and normalization • Needs integration of CI/CD for ease of test and deployment 1 2 3 4 Our past experiences and requirements
  • 23. 23 Logstash on Openshift • We decided to run all our logstash instances on openshift • Containers consumes less resources than multiple virtual machines • We get auto scaling through openshift • We can scale quickly by adding more nodes if needed to our openshift cluster. 1 2 3 4 Logstash containers
  • 24. 24 Adding Openshift and Logstash to Our Architecture Diagram 1 2 3 4
  • 25. 25 Logstash on Openshift • Centralize configurations in Gitlab • Gitlab allows us to create CI pipelines quickly • Run Logstash configurations through rspec for testing • Review and deploy to production on merge requests • Openshift provides the ability to build CD pipelines 1 2 3 4 Logstash CI/CD
  • 26. 26 Adding CI/CD to Our Architecture Diagram 1 2 3 4
  • 27. 27 Building One Piece at a Time Logging 1 2 3 4 Data engineering Log storage and long term retention Visualization and alerting End to end solution
  • 28. 28 Log Storage • Most the searching is going to be done the same day • Documents need to be easily searchable for the previous 90 days • Horizontal scalability • Highly available and redundant data 1 2 3 4 Our past experiences and requirements
  • 29. 29 Log Storage • No real surprise, we store our logs in elasticsearch • Implementing the Hot-Warm architecture provides the best solution to meet our requirements • Our process allows for automated deployment of new nodes • Elasticsearch provides the required HA and redundancy 1 2 3 4 Elasticsearch
  • 30. 30 Adding Elasticsearch to Our Architecture Diagram 1 2 3 4
  • 31. 31 Long-Term Data Retention • For forensic and legal issues, data needs to be stored for a minimum of 12 months • Needs to be stored outside of the elasticsearch cluster • Fast retrieval of data in the existing elastic cluster • Minimize cost for long-term storage solution 1 2 3 4 Our past experiences and requirements
  • 32. 32 Long-Term Data Retention • Openstack Swift allows us to store our index snapshots in object storage • Reusability of S3 snapshot plugin from elasticsearch • Acceptable retrieval times • Use of curator to automate snapshots 1 2 3 4 S3 object storage
  • 33. 33 Adding S3 Storage to Our Architecture Diagram 1 2 3 4
  • 34. 34 Securing Data • Control over who has access to the data • Ease of RBAC management • Add layer of encryption over data transportation • Use of existing and tested solutions 1 2 3 4 Our past experiences and requirements
  • 35. 35 Adding X-Pack to Our Architecture Diagram 1 2 3 4
  • 36. 36 Building One Piece at a Time End to end solution Logging 1 3 42 Data engineering Log storage and long term retention Visualization and alerting
  • 37. 37 Handling and Visualization Our Data • Easy front-end to query logs • Reusable query • Ability to meaningfully visualize data • Front-end that’s used by a wide range of security specialists ‒ Analysts ‒ Threat hunters ‒ Data scientists Our past experiences and requirements 1 2 3 4
  • 38. 38 Adding Kibana to Our Architecture Diagram 1 2 3 4
  • 39. 39 Alerting on Security Events • Need to filter on meaningful security events • Ease of building and deploying detection rules • Automate deployment • Easily track life cycle of rules Our past experiences and requirements 1 2 3 4
  • 40. 40 Alerting on Security Events • Simple way of writing queries • Use of YAML text files solves maintainability issues with version control tools • Auto deployment through CI/CD tools tied to version control Elastalert 1 2 3 4
  • 41. 41 Adding ElastAlert to Our Architecture Diagram 1 2 3 4
  • 42. 42 Smart Detection • Data must be easily accessible • Develop custom machine learning models • Automated deployment of machine learning models • Flexibility in using different algorithms Our past experiences and requirements 1 2 3 4
  • 43. 43 1 2 3 4 Smart Detection In-house machine learning • Models developed with open source, ML centric libraries • Deployment pipeline from data scientists to production
  • 44. 44 Adding Machine Learning to Our Architecture Diagram 1 2 3 4
  • 45. 45 Security Event Correlation • Ability to correlate security events • Ability to write complex rules • Simple front end to help our analysts • Central point for alerting Our past experiences and requirements 1 2 3 4
  • 46. 46 Security Event Correlation • Provides one of the best correlation engines for security events • Allows for aggregation, correlation, trending, and more • ESM provides a GUI and it’s a well known product throughout Bell security teams • Can receive and send data to multiple sources Arcsight 1 2 3 4
  • 47. 47 Adding Arcsight to Our Architecture Diagram 1 2 3 4
  • 48. 48 Today’s Situation With Elastic • Elastic allows for horizontal scaling to support constant increase of log volume • Elastic allows for simple integration with open security protocols • Elastic’s X-Pack solution provides a built-in secure data environment • New architecture using elastic allows us to build more detection mechanism using different techniques Where we at STOP 1 2 3 4
  翻译: