Elastic stays on security track, adds new engine and more ML to the mix

Elastic Cloud Enterprise

Search engine provider Elastic has pushed version 7.6 of its product stack out in the open, advancing the company’s new directive of turn-key solutions over single projects.

Last year, the company invested quite heavily in security related features, releasing Elastic SIEM and buying security company Endgame in the process. Moving further along this trajectory, Elastic Security now includes a new security information and event management engine. The addition supplements the anomaly detection which is already part of the product by offering automated threat detection.

To help unveil behaviour indicating threats, version 7.6 also includes 92 rules which align with the MITRE ATT&CK knowledge base of adversary tactics. They come heavily tested, as Elastic’s cyber security specialist James Spiteri is quick to point out “The security teams use our SIEM, to monitor our entire cloud infrastructure, processing 20 to 25 terabytes of data per day.” 

By giving feedback directly to the team writing the detections, the latter can “make sure what they are doing brings very valuable results” says Spiteri. And in true DevOps spirit, it also helps in shining a light on aspects that tend to be forgotten by some. 

Advertisement

The constant contact between infra sec and detection teams for example serves as a reminder of the impact a badly designed query can have in terms of Elastic Cluster performance. Keeping that in mind helps to think about more than just functionality during implementation. 

Version 7.6 also brings the integration of APM data into the SIEM. “If someone has their website monitored with Elastic’s APM monitoring agent, that data is now being picked up by the SIEM as well as the new detection engine inside the SIEM” Spiteri explains. “So if certain exploits are being run on a website, we have detections in place to pick that up.“

Since the majority of Elastic customers are, according to Spiteri, using Windows, the security team added some functionality improving insight into Windows endpoints. A blog post accompanying the release mentions the SIEM now “resiliently collects and enriches data from locations otherwise vulnerable to the evasion techniques of advanced threats”. 

Combined with the detections just mentioned, this provides ops with a better way of automating preventive responses to potentially disruptive events. A new overview page in the SIEM app meanwhile helps to investigate the latter quicker, and support for AWS CloudTrail data as well as enhancements for ingesting Google Cloud Platform data are meant to extend protection to other platforms.

Observability is the second area Elastic has buckled down to. Version 7.6 of the Elastic Stack comes with an AWS billing module for more insight into cloud resources and additional GCP modules to monitor cloud VMs and services monitored by Stackdriver. It also deepens the cooperation with distributed tracing tool Jaeger by enabling the ingestion of traces created by the tool.

All of this can be paired with the supervised machine learning capabilities that are now included in the stack and aim to make the approach “easy and accessible to everyone”. With the amount of data processed in the Elastic Stack, such an addition is only a logical next step, since staying on top gets tricky quite quickly. 

The new “end-to-end” capabilities are supposed to cover the whole ML spectrum from training models to using them for inference. They do however focus on common analytics use cases like classification with fleshed out use cases such as bot detection to keep complexity down and keep the initial hurdles as low as possible.

Apart from the security and observability improvements, Elasticsearch has been reworked for better query performance. Queries sorted by date or other long values should yield results faster, which can, for example, speed up the process when searching logs for errors. 

The new release also introduces meta engines that allow organisations to “unify search across multiple engines from a single search bar, while still allowing admins complete control over the behavior of each individual sub-engine.” Enterprise Search, which was put forward last year to help organisations search content across tools, has been rebranded as Elastic Workplace Search. The old name will however stick around, since it’s the new umbrella name for all search products.

- Advertisement -