Security and Elastic{ON}
While attending Elastic{ON} this year it was apparent that the focus on security has been a primary driver when it comes to new and improved functionality. With data breaches and malicious events being at the forefront of 2017, it is exciting to see how the great folks at Elastic (and the community) have stepped up and focused on features that are aimed at minimizing the impacts related to a cyber security event.
A small but impressive change has been related to the handling of the default users within Elasticsearch, Kibana, and Logstash. The default user passwords have been an item of contention for some time. With the default password for the elastic stack being “changeme”, one would think that the elastic folks are trying to drop a hint on what action should be completed when installing the stack. However, it has been amazing to see how many systems remain at the default password, even in a production environment. With version 6.0, the user passwords are now set using the setup-passwords function, which can be run either interactively or having an auto generated password displayed. For those of us who like to utilize automation (such as cloud deployments) they have even built in that logic as well, utilizing the bootstrap.password setting directly from the keystore.
The second feature relates to the Beats product line, which was already impressive with items such as metricbeats, filebeat, packetbeat, winlogbeat, and heartbeat. Auditbeat is a lightweight transport for audit data, taking advantage of the same ruleset defined on the system via audit.rules. Monitoring user activity, processes, and other pertinent events related to the auditd daemon is the primary use case for this application. These events are then sent to logstash/elasticsearch in real time, which can then be viewed and analyzed in Kibana for anomaly detection. Another impressive function of auditbeat is the file integrity module, which monitors files (or directories) for changes. Setting up auditbeat to monitor critical files and directories can be beneficial, providing real-time visualization of the changes which can then be compared to approved change management activities.
There were many other new features presented at Elastic{on} this year, and a high percentage of them were focused on the security realm. As a security professional it is imperative that we stay ahead of the curve when it comes to the tools we use to monitor, analyze, and react to the growing number of events in our industry. Thank you Elasticsearch for helping to make this challenging task a little easier.