Savvius sells packet capture and analysis appliances. These appliances range in size to capture packets on 100Mbps networks up to 20Gbps networks. Our newest mini appliance called Savvius Insight comes with the ELK stack built-in. ELK can be installed on any of the other appliances as well. Savvius appliances make good hosts for ELK because they are powerful multi-core servers with lots of disk space. With ELK, the disk space can be shared between the packets and the events. And with ELK, the appliances can be used to capture and analyze packets as well as used as a SIEM for the security events that are generated as the result of analyzing those packets.
One of the appliances in the product family, called Vigil, is an innovative and award winning packet capture appliance that uses events from IDS systems to determine which packets to capture. The captured packets are those that are part of the flow specified in the event, 5 minutes before and after the event. This allows Vigil to save more of the security related packets for longer periods of time, instead of just saving all of the packets. With more of the security related packets, security investigations to go further back in time to discover the source of a breach, and the effect it had once it got in. And this is critical, because you absolutely require the packets to investigate a breach because packets don’t lie! People can lie, logs can lie, but packets cannot lie!
So Vigil is a must have, I hope that is clear enough. But whether it is Vigil, or any one of the Savvius appliances you are using to capture the packets, you still need a SIEM to collect and aggregate the events, alert on the events, and do all kinds of fancy statistical analysis, correlation, and visualization of the events, among other things that a SIEM does. And since more and more folks are using ELK as the basis of their SIEM, what I am proposing is to install ELK on your Vigil, Omnipliance, or Insight appliance, along with a growing number of community and commercial extensions to enhance the functionality of it in important ways, and use the appliance as both the SIEM and the packet capture appliance. This is super smart for more reasons than I have time to talk about here. For now, let’s just let this Google trends graph speak for itself:
Oh yeah, ELK is trending up big time. It may not be quite the Pokémon spike we saw earlier this year, but unlike Pokémon, which peaked, and then fell hard, ELK is consistently trending up. But other than winning the popularity contest, the main reason to have Vigil as the packet capture and SIEM on the same appliance, is that you have a one stop shop for both the events and the packets. Why would you want to separate them anyway? They are like Peanut butter and jelly. They taste great together.
For now though, here is the point. Why spend a bunch of money on a separate IDS, SIEM, and packet capture appliance, when you can install the ELK stack right onto a Savvius packet capture appliance, and use it as the SIEM as well? The appliance certainly has the CPU horsepower and the disk space, and in the case of Vigil it has all of the IDS events being sent to it already, as well as the packets. And guess what, Vigil is already half way there with ELK. In Vigil 2.0, Savvius started shipping Vigil with Logstash as what it calls the Universal Parser. In this case Logstash is used to take events from different IDS systems and homogenize them into a single format for Vigil. This way, just about anybody can write a Vigil parser for a new IDS, and drop it into Vigil without requiring a new release of Vigil. That was a really smart idea, and the guy or gal at Savvius who thought of it should get a raise. 😉
By adding the other two components of ELK, mainly Elasticsearch and Kibana, you have the full ELK stack on Vigil, and can start doing amazing things with the data. Not only can ELK be used to analyze the events in many different ways right out of the box, but there are a growing number of plugins available to visualize, report, and alert on those events as well. There are quite a few community based, or open source plugins, and the company behind ELK, called Elastic, provides commercial packages like X-Pack, that extend the capabilities of ELK for authentication, role based access, reporting, alerting, graphing, etc. Recently, Elastic acquired a company called prelert, which provides incident management tools that automatically isolates the causality of applications in real time. Word has it that Elastic will be adding this capability into a future release of X-Pack.
So how does it all work? Well, if you are using Savvius Insight for your smaller network, you already have ELK installed. If you have an Omnipliance then Logstash, Elasticsearch, and Kibana can be downloaded from the elastic.co website and installed. And if you are using Vigil, Logstash is already installed, so you just need to install Elasticsearch and Kibana. And because Kibana is a web based app, it requires a web-server. I would recommend nginx, as it is the web server that Savvius uses on the Savvius Insight device, which already has the ELK stack on it. And if you are thinking hey, why don’t I just use Savvius Insight as a packet capture and SIEM appliance, since it already has all of this stuff on there? Well, I have thought of that too, and it is a great idea for smaller remote office locations. And how about going all the way, and running the IDS on the appliance as well? For certain environments this may make sense. So you see, there are many options, as is shown in the diagrams below. As you can see, one of the advantages is that the more you can do on a single appliance, the fewer appliances you need, and the fewer ports on your expensive smart tap you will have to use.
And then you may be thinking hey, why doesn’t Savvius put all of this great ELK stack stuff on the Vigil and Omnipliances for me, and do a new release? Well, you never know, if enough customers come back and say, hey Savvius, do that, then guess what will happen? But for now, it is relatively simple to extend Vigil and Omnipliances with these capabilities, and it will definitely be worth it. I mean, have you seen the Kibana dashboards? Do you know how powerful it is to graph your data in so many ways, making high level intelligence accessible to more people? These are game changers, and the potential should not be underestimated. You do want to be an IT hero, right?
Beyond installing the ELK stack, you will need to add the necessary Logstash .conf files for the IDS’s you want to send events from, and the searches, visualizations, and dashboards to Kibana. An example of this is described in this github article on adding snort to Insight: https://github.com/spacepacket/insnort/wiki/Insnort-Wiki. A big collection of Logstash.conf files for other IDS systems can be found here: https://github.com/SMAPPER/Logstash-Configs/tree/master/configfiles.
If you are Interested in learning more about Using ELK as a SIEM, register for our webinar tomorrow!
Using ELK as a SIEM 10/26/16 8:30am PDT / 11:30am EDT
Chris Bloom- Technology Evangelist at Savvius