Elastic Stack

Elastic Stack — before Elastic X-Pack — allows to take reliably data from any source in any format and also to look for, analyze and visualize data in real time. Elastic Stack includes the following solutions of Elastic company: Kibana, Elasticsearch, Beats, ECE, Logstash.

2020: Elastic Stack 7.6

On February 27, 2020 the Elastic company announced release of release of Elastic Stack 7.6 where significant updates concerned functions of the information security (IS). About one hundred the politician and the rules cybersecurity aimed at identification of the attacks, implementing the knowledge base of tactics and methods of malefactors of MITRE ATT&CK are added to a system.

Main changes in version 7.6 of a product mentioned by the developer:

• Processing speed of the search queries sorted by date or other "long integer" field is increased: by 15 times according to Lucene benchmark. The Black-Max WAND technology is for this purpose used. However requests about use of aggregations do not receive performance gain owing to features of the search engine.
• The algorithm of machine learning for increase in simplicity of its use by the user (usability) is worked out. Simplification of use such the technician as classification and regression was a main objective. The analyst of security can regular means of Elasticsearch construct model of detection of bots, using classification, and then, using the processor of machine learning and a logical output, to reveal and mark the analyzed traffic on belonging to a bot.
• In the Elastic SIEM component the updating of the engine allowing to reduce time of investigation of an incident of Mean Time to Detect (MTTD) – the important parameter of functioning of SOC is provided. In particular, about 100 ready rules of detecting of methods and tactics of the attacks according to MITRE ATT&CK base are prepared, ranging on risk levels and a priority is carried out that promotes selection of the most important events. Elastic called results of detecting of the correlation Signals engine, the correlation engine developed more than 2 years ago in the AngaraCyber Resilience Center platform (SOC ACRC) quite so is called.
• In a component of the class Endpoint Detection and Response (EDR) – Elastic Endpoint Security, on the basis of the Endgame engine – is improved monitoring of security of Windows machines, the most frequent purpose of cybermalefactors. Rules of detecting for interception of keyboard input, loading of a malicious code are included in processes. According to the developer, the good addition allowing technology to compete with widespread Sysmon and analogs is integration of these rules with automatic answer (automated responses), for example, shutdown of process (kill a process).
• Integration with cloud services of Amazon Web Services (AWS) regarding control of billing and Google Cloud Platform (GCP), in particular with CloudTrail is improved.

The products Elastic are used as separate engines of many SIEM and SOC solutions. Updates will introduce improvements in the SOC systems upon timely transition to upgraded versions, the developer claims.