Elastic has launched the beta of a free SIEM (Security Information and Event Management) service as part of its just released version 7.2 of the Elastic product portfolio.
At the Berlin leg of the company’s user conference, Tudor Golubenco, one of Elastic’s tech leads, recounted how the company came up with the idea. “We do see a lot of people in the community putting security relevant data into Elasticsearch. But there were also a lot of companies who used us as a SIEM even before we had an official product for it. People just built on top of our products and added the functionality they needed.”
Since the interest was there, “it seemed like a good opportunity for us and we just wanted to make it easier for people to use Elastic in the security space”. To help them, the team has at this stage “written quite a few Beats modules that make the data ingestion part of the process easier” for example. Another part of the offering is a Kibana app, Golubenco is quite proud of.
“We created a Kibana application that makes it easy to do investigation – if you notice something unusual, or machine learning points you to something unusual, you go through an investigation workflow. There you look at a particular user, you see which processes they started, you look into which files those processes touched and you try to understand what happened and if it’s malicious or not. If it is, you can track what they managed to do before you noticed them and if you managed to stop them. Having all of that information is very important for the defending site to recognise quickly when there is a security breach and react.”
Where the project goes from here, will be pretty much driven by the needs of the open source community, Golubenco says. “I guess it’s the first free SIEM ever, so we do hope that a lot of people who couldn’t get that level of protection before will adopt it now and give feedback so that we can improve our product.”
The general trend of development at Elastic seems to go towards a more curated experience. This is above all meant to make operations more beginner-friendly, as Beats creator Monica Sarbu mentioned in a chat at Elastic{ON}. “More and more we add curated applications to Kibana that make it easier to use for everyone. Before we shipped for example Beats with sample dashboards – but in Kibana you need to know a bit more to get all the information you need.”
One new addition that follows that idea is the Metrics Explorer. “Initially Kibana was more load or events oriented, but we added more and more features that are good with metrics kind of data and Metrics Explore is finally just designed for that” explains Golubenco. The tool offers a UI to visualise infrastructure metrics and interact with them inside the Infrastructure app, so that you get the “big picture of what’s happening in your infrastructure” as Sarbu likes to put it.
Beats 7.2 itself comes with a new, properly boxed script processor for events written in JavaScript. Other additions include logging modules for monitoring PAN-OS and Cisco ASA firewall logs, NetFlow and IPFIX records, CoreDNS, NATS messaging, Windows Security event and Sysinternal System Monitor logs.
Friends of .NET will be thrilled to hear that the often requested Elastic APM agent for that platform has moved into beta. Elastic’s core product, Elasticsearch, meanwhile sees the introduction of geo and time proximity as ranking aspects, and the addition of the field type search_as_you_type as well as a beta for Data Frames amongst other things. Data Frames let users aggregate data from multiple indices to a single index, which can be useful to summarize elements for example.
Even though Elastic works mainly in the open, companies such as AWS seem to openly doubt their interpretation of the term open source, which combines “open source and commercial code in a single, open software stack”. As a consequence AWS introduced a separate Elasticsearch distribution earlier this year, which Elastic founder Shay Bannon saw as “serving their own needs” as well as a “sign of success and the reach our products have”.