Blog Post

Extending Elasticsearch with Deep Network Context

As the security workload increases in both complexity and volume, the teams responsible for performing the work need efficient processes and tools that can minimize context switching and the need to consult multiple technologies to get a complete picture. Over the years Security Information and Event Management (SIEM) solutions have attempted to offer the proverbial single pane of glass. But this has brought its own unique challenges – alert fatigue and lack of context. By launching Awake Security’s integration with Elasticsearch we are focusing on solving that challenge, delivering high fidelity detection and context to simplify the life of the overworked security analyst and reduce risk by decreasing response time.

Integrate Logs and Network Data

Elasticsearch is a distributed search and analytics engine used by thousands of organizations worldwide to store, search and analyze high volumes of data in real time. Built on a foundation of deep network analysis, the Awake Security Platform provides a broad perspective to the organization’s attack surface and the critical business assets that are part of it. Awake tracks every asset as they move across your network and autonomously builds an understanding of the relationships and similarities between entities. This tracking and situational awareness goes beyond just the known and managed assets that feed telemetry into a solution like Elasticsearch.

Bringing this unique visibility from Awake into Elasticsearch amplifies the latter’s analytics capabilities and in turn provides security teams with rich contextual data for efficient detection, threat hunting and rapid incident response. For instance, Awake’s EntityIQ™ identifies, profiles, and tracks all the devices, users and applications with just a network connection. In other words, rather than working with an IP address, security analysts operate on a device that perhaps had half a dozen IP addresses over the past few days. But thanks to Awake all of those IPs are behaviorally associated with a single device, thus simplifying and decluttering the analyst workflow. As seen in the screenshots below, sending this type of information into Elasticsearch, now enables this entity-centric view to be used in correlation with operational data collected from other IT and security solutions. In addition, Awake’s detections of attacker tactics, techniques and procedures (TTPs) are also reported into Elasticsearch, as highlighted below. This allows teams to track these threats through the rest of their infrastructure.

With the information they need at their fingertips, security analysts empowered by the combination of Awake Security and Elasticsearch can focus on risk management and decision making rather than data gathering and analysis. The correlated information can then trigger additional orchestrated and response actions including blocking domains or IPs at the firewall or proxy. All of this can be accomplished automatically in an instant.

To get started all you need is the Elasticsearch server address and access credentials and the integration is up and running in minutes. Contact Awake or your customer success manager if you would like to see this integration in action.

 

 

 

Krupa Patel
Krupa Patel

Principal Product Manager