What You Will Learn
Security Information and Event Management (SIEM) can be an extraordinary benefit to an organization's security posture, but understanding and maintaining it can be difficult. Many solutions require complex infrastructure and software that necessitate professional services for installation. The use of professional services can leave security teams feeling as if they do not truly own or understand how their SIEM operates. Combine this situation of complicated solutions with a shortage of available skills, a lack of simple documentation, and the high costs of software and labor, and it is not surprising that deployments often fail to meet expectations. A SIEM can be the most powerful tool a cyber defense team can wield, but only when it is used to its fullest potential. This course is designed to address this problem by demystifying SIEMs and simplifying the process of implementing a solution that is usable, scalable, and simple to maintain.
The goal of this course is to teach students how to build a SIEM from the ground up using the Elastic Stack. Throughout the course, students will learn about the required stages of log collection. We will cover endpoint agent selection, logging formats, parsing, enrichment, storage, and alerting, and we will combine these components to make a flexible, high-performance SIEM solution. Using this approach empowers SIEM engineers and analysts to understand the complete system, make the best use of technology purchases, and supplement current underperforming deployments. This process allows organizations to save money on professional services, increase the efficiency of internal labor, and develop a nimbler solution than many existing deployments. For example, many organizations pay thousands of dollars in consulting fees when a unique log source needs a custom parser. This course will train students how to easily parse any log source without requiring consulting services, saving their organizations both time and money, and facilitating faster collection and use of new log sources.
SEC455 serves as an important primer to those who are unfamiliar with the architecture of an Elastic-based SIEM. Students that have taken or plan to take additional cyber defense courses may find SEC455 to be a helpful supplement to the advanced concepts they will encounter in courses such as SEC555. In addition, the material discussed in this course will enable students to not only build a new SIEM, but improve and supplement their already existing implementations, producing a more efficient solution that provides the answers they need more quickly and at a lower cost. The overall goal is to educate students on what they need to know to design and modify a SIEM, improve upon their current solution, and enable them to reach their original defensive goal - catching adversary activity in their environment.
Syllabus (14 CPEs)Download PDF
Day 1: 9:00AM - 6:00PM
Day one focuses on Elasticsearch and Kibana and will take students on a journey from their first steps in the Elastic stack, to having a secured and production-ready Elasticsearch and Kibana instance by the end of the day. Students will learn the skills required to install, configure, and use Elasticsearch, and will become comfortable with using Kibana to visualize imported data in multiple useful ways.
Class begins with an introduction to the components of a SIEM and how each relates to the pieces of the Elastic stack. After a quick, high-level view, Elasticsearch receives a deep dive with a focus on the core practical concepts of node types, indexes, shards, and data type mapping. Also, administrative activities such as cluster creation, management, data retention and optimization are covered and put into practice with hands-on labs. Through these activities, students will become comfortable creating, modifying, and managing their Elasticsearch cluster. The Elasticsearch lesson also includes recommendations and calculations to ensure the capacity of the cluster meets storage and event-per-second requirements.
The second part of the day features a similar deep dive on how to install, setup, and use Kibana. Students will become familiar with the search, visualization, and dashboard interfaces, and will learn how to use these tools to explore log data. Also, students will learn how to secure access to their Elastic stack and to lock down indexes and documents with role-based permission schemes.
- Installing and Configuring Elasticsearch - The first step in our SIEM, installing Elasticsearch from scratch and configuring it to be production-ready and usable for the rest of the class.
- Cluster Creation and Management - Setting up Cerebro for cluster and index management, creating an Elasticsearch cluster, using index templates for routing and understanding node failover.
- Kibana - Learning how to use the Kibana interface to run searches, and create visualizations and dashboards, then using them to explore and answer questions about your data.
- Securing the Stack - Adding certificates, authentication, and auditing to an Elastic Stack
SEC455.1 Distributed Search and Visualization
- What is ELK?
- Indexes, Shards and Replicas
- Fields and Mappings
- Node Types
- Hot / Warm Architecture
- Data Retention and Optimization
- Hardware Sizing
- Index Mappings
- Data Types
- Searches, Filters, and Wildcards
- Adding Index patterns
- Linking to data from logs
- Visualization Types
- Aggregations, Bucketing, and Metrics
- Creating Visualizations
- Creating Dashboards
- X-Pack Tools
- Graph Analytics
- Machine Learning
- Securing the elastic stack
- Security Plugin Options
- Authentication, Authorization, and Auditing
- Encryption and IP Filtering
Day 2: 8:00 AM - 5:00 PM
Building on the infrastructure prepared during day one, day two focuses on how to efficiently move logs from your edge devices, and then transport, parse, and enrich them. Any organization can create an enormous amount of log events in a short period, so the creation of an efficient and dependable pipeline is crucial to maintaining the integrity and stability of any logging solution. The multitude of log formats and transport protocols are discussed, as well as how to decide on the best configuration for any given situation. Traditionally, log parsing has been painful and full of potential error, but the techniques shown throughout this course day will reduce or eliminate this pain and teach students how to substitute legacy solutions with more modern and efficient solutions. By the end of day 2, students will be familiar with optimal logging formats and with new and effective ways to parse legacy or difficult-to-handle formats.
While having perfectly parsed logs is great on its own, we can go much further. The value of a parsed log can be improved hundreds of times over with proper enrichment and with nominal performance impacts on log ingestion rates. Log enrichment includes adding context to logs and various other techniques used to increase your detection capabilities. Additionally, conditional logic and strategies for log filtering are discussed to ensure that the system will not be slowed by processing unneeded information.
The final piece of SIEM architecture is collecting logs off edge devices. Many organizations are unwilling or unable to deploy agent-based log collection, so both agent and agentless methods of log collection are discussed so that students can identify their ideal deployment. Although many students may already have a SIEM system in their environment, the Elastic set of tools can also be used to further supplement and improve the performance of other commercial SIEMs. We'll explain new trends such as the dual-stack SIEM environment, and examine how to use Logstash to supplement pre-existing SIEM deployments that struggle with high volume issues and poor data enrichment features. Alerting based on logs is also covered, with a review of both Elastic and third-party solutions.
- Installing and Configuring Logstash - You'll learn to install and tune Logstash. Tuning includes memory optimizations, setting up X-Pack monitoring, and verifying if Logstash is set to run on reboot automatically.
- Traditional Parsing - You will use Logstash to parse syslog manually using both regex and patterns. Next, you'll apply UTC to the log's time field and add tags for context. Finally, you'll ship off logs into Elasticsearch and view them with Kibana.
- Modern Parsing - You'll apply automatic parsing of modern log formats such as key-value and JSON with purpose-built Logstash plugins.
- Filtering and Enrichment - This involves applying log filters to control the volume of data going into your SIEM. Also, you'll add context and field cleanup techniques via log enrichment to make analysis better.
- Log Agents - You'll install and use Filebeat and NXLog to collect logs and send them through the entire log pipeline. You'll learn how to use agents over various transport mechanisms such as TCP versus UDP.
- Installing and Configuring Elasticsearch - The first step in our SIEM involves installing Elasticsearch from scratch and configuring it to be production-ready and usable for the rest of the class.
- Cluster Creation and Management - You'll set up Cerebro for cluster and index management, creating an Elasticsearch cluster and using index templates for routing and understanding node failover.
- Kibana - You'll learn how to use the Kibana interface to run searches and create visualizations and dashboards, then use them to explore and answer questions about your data.
- Securing the Stack - You'll use X-Pack to enable Authentication, Authorization, and Auditing, as well as encryption between nodes and to Kibana.
- Log Aggregation
- General Architecture
- Open-source Solutions
- Scaling Out (Load Balancing, Multiple Nodes, Docker)
- Synchronizing Configurations across Multiple Nodes
- Handling EPS
- Performance Tuning
- Traditional Parsing
- Modern Parsing
- Log Formats (CSV, KV, JSON, XML)
- Automatic Parsers
- Fixing Broken Log Formats
- Extraction vs. Parsing
- Log Enrichment
- Log Filtering Techniques
- Field Standardization
- Conditional Filters
- Augmentation (geoip, DNS, etc.)
- Debugging (Ingest Time)
- Custom Enrichment (Ruby)
- Performance Impact
- Agents and Log Collection
- Core Features
- Automatic Configuration Techniques
- Endpoint Filtering
- Automatic Configuration Control
- Third-Party Integration and Dual-Stack SIEM
- Compliance vs. Tactical
- Commercial vs. Open-source
- Duplicating Data to Multiple Sources
- Converting Output Format per SIEM
- Using Message Brokers
- Migrating Into or Out of Elastic
- Alert Engines and How They Function
- Rule Types
- Rule Development
- Rule Testing
!! IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
Please download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Please download and install either If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
MANDATORY SEC455 SYSTEM REQUIREMENTS:
- CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- RAM: 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
- Wireless Ethernet 802.11 B/G/N/AC
- USB 3.0 Ports Highly Recommended
- Disk: 25 Gigabytes of free disk space
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- A Linux virtual machine will be provided in class
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"After seeing Elasticsearch continue to pop up in SANS courses across the curriculum, I have noticed students are consistently curious and excited by the search features the open-source Elastic Stack provides. Numerous security tools, projects, and even commercial SIEMs have moved to using the lightning-fast distributed search tool as the cornerstone of their functionality. The trend is clear - Elasticsearch is emerging as a great solution to the "needle in a haystack" problems we often face in information security, and its inclusion in professional products shows it is indeed ready for primetime. Elasticsearch has an enormous number of possible uses, however, many of which are considerably different than the security use case. Understanding which features are important for a specific use is not a simple task given the extensive documentation. Considering the rapid pace of development throughout the past few years, much of the existing information online has rapidly become outdated as the software has changed. SEC455 was written from day 1 with an eye toward the future using only the newest version of Elasticsearch in mind. We have reduced the documentation to the most important information and simplified learning the Elastic Stack to the items relevant for security use. Taking this class is guaranteed to save you numerous hours documentation reading, experimentation, and frustration, and will give you a shortcut to the front of the Elasticsearch trend. If you're wondering what the distributed search platform can do for you, and want to learn it with a focus on understanding, improving, and building a SIEM, this is the course for you!"
- John Hubbard