What is the ELK stack and how can we use it?
ELK stands for Elasticsearch, Logstash and Kibana. It is a suite of tools that work together ability to aggregate logs from all your systems and applications, analyze these logs, and create visualizations for application and infrastructure monitoring, faster troubleshooting, security analytics, and more.
Elasticsearch is basically like a search engine (think google), that can be used for various purposes and intents within an organization, its uses span from business analysis, text/document search, for storing and searching log information pulled from various sources and for security intelligence functions such as SIEM (Security Information and Event Management).
From a security standpoint, the ELK stack is a useful tool for monitoring and observability.
- Monitoring is the process of collecting data and generating reports on different metrics that define system health.
- Observability is a more investigative approach.
The ELK stack contains all the tools to help you achieve this, and within this context, to security operations within a Security Operations Center.
Explain this to me like I am a 5 year old!
It is said that until you can explain a concept to a five year old and he fully understands it, you have not fully understood it yourself, so in simple terms, I like to explain this with toys.
Imagine you have a big box of toys and you want to keep track of them. You need a special set of tools to help you find your toys easily and understand what’s happening with them. That’s what the ELK stack does for grown-ups with computers!
- Elasticsearch is like a magic search engine. It helps people find specific toys (or in grown-up terms, data) really fast.
- Logstash is a toy organizer. It takes all the toys (or data) from different places and organizes them so Elasticsearch can find them easily.
- Kibana is like a picture book. It shows you fun pictures of your toys (data) so you can see everything clearly.
So together, Elasticsearch, Logstash, and Kibana (ELK) help people find, organize, and look at their data!
What about the Security Operations Center (SOC)?
SOC (Security Operations Center) operations are all about keeping a company’s digital systems safe from bad guys. Think of it like a superhero team that protects a city, but instead of a city, they protect computers, networks, and data. Here’s how they do it:
- Monitoring: The SOC team is always watching the company’s systems. They have special tools that can alert them if something suspicious is happening, just like a superhero would know if a villain is about to attack (ELK helps with this).
- Detecting Threats: If something looks strange, like a hacker trying to get in, the SOC team will spot it. Their tools and experience help them figure out whether it’s a real threat or just normal activity (ELK can assist with detecting Indicators of Compromise through investigating log events, also IDS tools help with this,).
- Responding to Incidents: When the SOC team finds a real threat, they jump into action! They stop the hacker, fix any problems, and make sure everything is safe again (Incidence response can be tailored based on Alerts that can be automated using ELK).
- Investigating: After dealing with the threat, they investigate what happened. They look for clues to understand how the hacker got in and how they can prevent it from happening again (ELK again).
- Improving Security: Once the threat is handled, the SOC team improves the company’s defenses by updating their security tools or policies to prevent future attacks (ELK provides visualizations which can be used by security teams and upper management to easily understand the threat landscape and how to improve security posture).
In short, SOC operations are like having a team of cybersecurity superheroes who are always on guard, detecting, responding, and protecting against cyber threats.
Pulling it all together
We have seen how we can deploy the ELK stack into our IT environment for gathering information on all the critical components within it, and how it can inform security operations. The ELK stack can also protects endpoints with Elastic Defend, which is an EDR solution from the Elastic Team.
By understanding the operations of those in charge of security operations, (SOC), we can then implement a tool that can help them achieve their goals of defending the organization more efficiently. However, the tool is only as powerful as how it is being utilized and there are many more tools that can be used with, or instead of the ELK stack to achieve these objectives. The ELK stack is a very robust solution to helping security teams and something of note is that most SIEMs are actually built on Elasticsearch.
I will be exploring how the ELK stack can be used for SOC Analysis in a series of blog posts that can be found here: SOC Analyst Challenge.
