Protecting against cyber attacks at UC Davis with Elastic
0 likes863 views
This presentation discusses UC Davis' use of Elastic to unify their security information and event logging. Some key points: - UC Davis needed a modern logging platform to replace their aging ArcSight system and consolidate various data sources. They selected Elastic due to its performance, fault tolerance, and manageability. - Elastic aggregates logs from many campus systems in a centralized, indexed manner for analysis, retention, and correlation. This satisfies their core requirement for a unified event stream. - UC Davis has expanded their use of Elastic over time. They now log over 800GB per day to Elastic from various security and IT systems. - Elastic provides the foundation for UC Davis to develop more automated security workflows and integrate
Ad
More Related Content
What's hot (20)
Similar to Protecting against cyber attacks at UC Davis with Elastic (20)
Ad
More from Elasticsearch (20)
![Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]](https://cdn.slidesharecdn.com/ss_thumbnails/modernisingonelegalserchwithelastic-jsedit14thjune2021-210625013449-thumbnail.jpg?width=560&fit=bounds)
Ad
Recently uploaded (20)
Protecting against cyber attacks at UC Davis with Elastic
- 1. Elastic in UC Davis Security Operations Jeff Rowe (Cyber-security Architect) Cheryl Washington (UCD CISO), Sophon Im (SOC Manager) Nikita Andrikanis, Manpreet Kang, Jason Lin, Kyle Muldoon ?:[email protected]
- 2. This presentation and the accompanying oral presentation contain forward-looking statements, including statements concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future operations and expected performance. These forward-looking statements are subject to the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently available information regarding these matters may not materialize. Actual outcomes and results may differ materially from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business and our customers and partners; our ability to continue to deliver and improve our offerings and successfully develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings; our ability to realize value from investments in the business, including R&D investments; our ability to maintain and expand our user and customer base; our international expansion strategy; our ability to successfully execute our go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer retention and expansion; and general market, political, economic and business conditions. Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s website at ir.elastic.co and the SEC’s website at www.sec.gov. Any features or functions of services or products referenced in this presentation, or in any presentations, press releases or public statements, which are not currently available or not currently available as a general availability release, may not be delivered on time or at all. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Customers who purchase our products and services should make the purchase decisions based upon services and product features and functions that are currently available. All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not currently intend to, update any forward-looking statements or statements relating to features or functions of services or products, except as required by law. Forward-Looking Statements
- 3. UC Davis IT Environment • 5000 servers • 55,000 clients • 170,000 user accounts • High-value research • Student Health Center (HIPAA) • 120 PCI merchants • DoD funded research • Personal residences • PG&E substation, Police, Fire, USDA • Airport (EDU) • Open access policies • Massively distributed federated IT governance
- 4. UC Davis Security Operations From 30,000 feet
- 5. UCD SOC Technology Portfolio • Domain-specific technology. • Overlap technology that links core domains. • All these system generate event streams. Currently 8000 events/ sec and growing. SOC workflows are about managing this information.User Security Network Security Software Security CAS Shibboleth ADFS MFA IDS IPS NGFW FIM App Security syslog Sandbox VulnScanner Radius, VPN DHCP AV CASB EDM
- 6. Security Operations Information Flow Categories • Events (Input) • Data streams generated by SOC tech portfolio • Used for manual and automated investigation • Cross domain technology enables aggregation and correlation • Configuration (Static Parameters) • Relatively static system state and configuration • Used to improve correlation with semantic enrichment • Provides context for risk-based appraisal and reporting • Directives (Output) • Actions taken in response to investigation and appraisal • Used to move systems from insecure to secure states • Implements Incident Response
- 7. Abstract Security Operations Workflow Appraise Respond Investigate • Events Data streams generated by system operations • Configuration Current system state and value • Directives Actions taken in response to investigation outcome
- 8. Security Operations Event Logging The journey
- 9. ISO SOC Logging Landscape – August 2018 ArcSight Splunk Elasticsearch Research PoC Azure Logs/ATP 300 Gb/day 2 Gb/day100 Gb/day 100 Gb/day CAS Auth IPS VPN Auth Campus Email Radius Auth Bastio n Hosts Firewalls VMWare syslog HoneypotIDS CASB Email AD Auth AD FS Auth SharePointMFA
- 10. On-Prem vs. Cloud Monitoring and connector infrastructure (instrumentation and data normalization) must be maintained by the SOC in both cases. vs. $$ $$$$$ CAS Auth IPS VPN Auth Campus Email Radius Auth Bastio n Hosts Firewalls VMWare syslog HoneypotIDS CASB Email AD Auth AD FS Auth SharePointMFA
- 11. Rough Timeline • August 2018 • ArcSight turns 5 years old. • No federated access control, slow, fragile, labor intensive, expensive. • Data sources need a refresh. • Migrate to a modern, next generation security logging platform • Evaluated several vendors • Elasticsearch, Splunk, SumoLogic, LogRhythm • Starting August 2018 • Pilot a new ISO logging system based upon BIG Elasticsearch and small Splunk. • 300 GB/day log capacity. • Replace ArcSight in 1 year.
- 12. ISO SOC Logging Landscape – Jan 2019 CAS Aut h IPS VPN Aut h Campus Email Radius Auth Bastion Hosts Firewalls ArcSight VMWare syslog Splunk Honeypot Elasticsearch IDS Azure OMS/ATP O365 Email AD3 Auth ADFS Auth SharePoint 120 Gb/day 10 Gb/day300 Gb/day 100 Gb/day MFA Auth
- 13. UC Davis Security Operations 2020 Where we are today
- 14. UC Davis SOC Logging Landscape – Today CAS Aut h IPS VPN Aut h Campus Email Radius Auth Bastion Hosts Firewalls VMWare syslog Splunk Honeypot Elasticsearch IDS Azure OMS/ATP O365 Email AD ADFS Auth SharePoint 0 Gb/day800 Gb/day 50 Gb/day MFA Auth
- 15. Elasticsearch: Unify the Event Information Stream ISO SOC VLAN ISO SVCS VLAN UCD DatacenterCAS SMTP sshd IAM Oracle DB UCD NOC DHCP Radius IPS Campus Departments IDS Windows Event CollectorAPI events Threat Intel Vulnerabilities Anti-virus AD Infra. ISO SOC Elastic logging system satisfies this core requirement • A wide variety of system logs are centrally aggregated, normalized and indexed • Provides log retention for compliance • Provides event aggregation and correlation • AI and Machine Learning based analytics Raw Aggregated Normalized Analyzed
- 16. Security Index Lifecycle (2020) Phase 2 ExpansionPhase 1 Raw Data Pipeline (milliseconds) Hot Cluster Nodes Phase 1: 90 days Warm Cluster Nodes Phase 2: 90 days Cold Archival Storage Phase 2: 6-12 months Hot Cluster Nodes Phase 2: 2 weeks
- 17. Security Operations Automation • Packaging Security Investigations • Alert stream provides pointers into the raw event stream (TCP conn, protocol decode, host logs) • Bracket connection events matching alert features. • Use Elastic REST API to automate alert filtering, connection matching and aggregation, and investigation packaging. Raw Event Index Alert Index
- 18. 5 Minute Demo
- 19. Elasticsearch Value to UC Davis • High performance, fault-tolerant logging platform • Built in fault tolerance accelerates the upgrade path. • UCD performs rolling upgrades a month after version release. • Manageable with existing manpower • 30% FTE senior SOC analyst deployment in 6 months. • >10% ongoing maintenance • Very Cost Effective • Federated role-based access control • Student analysts are guaranteed well placed jobs on graduation
- 20. Where we are going Future vision
- 21. Leapfrog the SEIM and implement SOAR • Automate, automate, automate. • APIs instead of portals and dashboards. • Open question: Where can Elastic fit? Events Documents Directives Appraise Respond Investigate
- 22. Current Security Workflow SecAlert Appraise Resp ond Investiga te Kibana ServiceNow manual login manual login manual login Appraise Respond Investigate
- 24. Next-Gen Orchestration and Automation IAM Events Documents Directives NGFW Kibana UCD SOAR
- 25. Next steps with Elastic • Covert to ECS • Incorporate built-in SEIM analytics • Get real with Machine Learning