Detection Engineering and Vulnerability management at Elastic | AMS User Group
Details
Join us for a meetup on October 19th in our Elastic office in Amsterdam! Doors open at 17.45 and the presentations begin at 18.00. Food, refreshments, and networking to follow. We wrap up at 20.30.
Address: Elastic's office, Keizersgracht 281, 1016 ED Amsterdam
Agenda:
17.45 Doors open
18.00 Talk #1 Detection engineering in a multi-cloud environment
18.45 Talk #2 How we transformed patching with data-driven insights from the Elastic stack
19:30 Networking, food with drinks
20:30 Wrap up
Talks:
Detection engineering in a multi-cloud environment
In this talk Aaron will provide an overview of our SIEM environments architecture that monitors and protects employees in over 40 countries and the Elastic Cloud environment that ingests more than 500 Terrabytes per day across 60+ cloud regions in 4 different cloud providers. Aaron will show you how we use Cross Cluster Search to create a single central cluster that we can use for both Observability and for SIEM for alerting while storing all of the data locally within each cloud region saving millions per year in cloud data transfer fees.
He will then discuss some real world attack scenarios against cloud environments, what keeps the cloud defenders up at night, and how to build custom detections for your cloud environment to detect and stop those attacks. We are a relatively small team so we rely heavily on automation to enrich, investigate, and respond to alerts as quickly and efficiently as possible. Because many attacks look similar to admin activity, and admin activity often looks a lot like an attack, we distribute many of our alerts directly to the system owners via Slack in order to get instant feedback for the investigation. He will show you how we built many of these automations and what to consider when building them yourself.
Speaker: Aaron Jewitt (Principal Security Analyst @Elastic)
How we transformed patching with data-driven insights from the Elastic stack
In this presentation, we’ll delve into the transformative power of data-driven insights from the Elastic stack in the realm of vulnerability and patch management. While patching is essential for compliance and security, the conventional push-based method presented challenges, especially in our rapidly evolving cloud environment.
We’ll discuss how we shifted the paradigm by advocating for a pull-based patching approach, using custom metrics in Kibana like the vulnerability adherence indicator. The outcome? A staggering reduction in vulnerability between the highest and lowest figures.
Dive into our lessons learned, including the significance of employing multiple metrics and aligning your data with the Elastic Common Schema (ECS).
Speaker: Clement Fouque (Principal Information Security Analyst @Elastic)