Share your experience using Elastic Security

I've been using the Elastic solution primarily as an IAM solution. It helps in threat-hunting investigations and provides case management and security incident management.

The general process involves collecting all security events on a data platform or a data lake. These events are then processed and analyzed based on threat perception, comparing them against known attack vectors. Events identified as potential threats are tagged accordingly. During analysis, data enrichment may be necessary to enhance understanding. After tagging threats, the analysis is forwarded to a threat-hunting team. A security incident is created if there's no existing solution, and a case analysis is conducted to find a solution.

Elastic provides the capability to index quickly due to the reverse indexes it offers. This data is crucial as it contains critical information. The reverse index allows fast data indexing because of Elastic's efficient search engine.

After the initial processing, Elastic Search offers rapid access to data and indexes. Additionally, Elastic provides a feature for root cause analysis. In this process, various threats emerge. Relevant events are properly linked, suppressing unnecessary ones. The correlated event is then passed on to root cause analysis, aiding in pinpointing the specific problem area.

The solution lacks discovery. With effective discovery and asset management in place, you can identify the impact of threats. Having an asset management database allows you to determine the effects of threats on assets and their implications for business and operational aspects. 

I have been using Elastic Security for five to six years.

The product is stable in large energy utility environments, where it handles millions of transactions per second, both on-premises and in the cloud.

Scalability occurs on the elastic cluster side because the basic ingestion happens on the cluster side. With increased volumes, your cluster should also be able to handle more, or you must provision additional clusters to handle the workload. The solution is entirely scalable. Elastic operates on an in-memory computing basis. A perfect ratio must be maintained during the data retention period. The Elastic infrastructure is set up in a way that provides input and handles the data lake comprehensively. It's more of an infrastructure-level scalability rather than a solution scalability.

The basic support always comes with a very basic level of SLAs, whereas the premium support comes with advanced or very high SLAs.

Elastic is replacing solutions like Splunk and IBM QRadar.

The initial setup is straightforward but has complex data feeds ingested into the system. Millions of data points are arriving per second, presenting a significant data transfer rate. Consequently, the system must be appropriately sized and scaled to meet this demand. Furthermore, all data is accessed in real-time, complicating the sizing process.

Elastic Security is open-source. Unlike many older solutions where you must pay for data ingestion, Elastic allows you to ingest data freely. Being open source, you can set up a Kafka front door layer to ingest data and forward it to the Elastic cluster in various formats. Once ingested, the Elastic cluster, essentially Elastic search, manages cluster management automatically. Additionally, being open source, Elastic can seamlessly integrate with any data feeds.

Anomaly detection comes into play when conducting a threat investigation using threat intelligence or querying threats. Typically, security events stem from various sources, such as operating system logs, event logs, application logs, and security logs, all collected from different systems and traffic data. This data streams at an enormous rate, measured in events per second, often reaching millions. Therefore, the task involves running anomaly detection across these events to pinpoint those requiring analysis and further threat-hunting efforts.

If you're using Kaspersky for event management or passing through data stream pipelines, Elastic can convert the data into a usable format for ingestion into the cluster. Integration with existing solutions is straightforward since Elastic is an open-source platform.

Overall, I rate the solution an eight out of ten.

My use case for the product revolved around conducting demonstrations and testing. It also helped me with tracing ransomware and managing threat scenarios.

The integration with Siemens Endpoint Security in Elastic Security has been beneficial for security. The provided rules are good, making it easy to create and understand rules. Patterns and detections are made through index patterns, requiring some follow-up steps.

In real-time, the impact of Elastic Security on ransomware is significant. For known and repeated ransomware, it can detect and prevent effectively using established signatures and behavioral patterns. However, for new types of ransomware with less complex behaviors or those that modify files minimally, conventional detection methods may struggle. Elastic Security proves to be effective even in challenging cases.

On the cloud, it allows testing of SaaS-based applications, performance evaluations using CDMs and APIs, incident detection within company network infrastructures, and comprehensive management of security services.

Improvements in Elastic Security could include refining and normalizing queries to make them more user-friendly, enhancing the user experience with better documentation, and addressing any latency issues.

I have utilized Elastic Security for approximately three to four months.

I rate the product’s stability an eight out of ten.

Scaling Elastic Security is relatively easy, with a rating of seven out of ten.

The tool's deployment is straightforward. 

I rate the overall product an eight out of ten.