Learning About SOCs and Elastic Stacks
This semester I was fortunate enough to be able to work at The Leahy Center with other cybersecurity students. At the beginning of the internship, we were introduced to the responsibilities of a security operations center (SOC). The main goal of an SOC team is to prevent, detect, analyze, and respond to threats, as well as maintain data compliance measures. We learned about the tools that an SOC team uses, which led us to our goal of developing an Elastic Stack. An Elastic Stack, or ELK stack, is a collection of open-source tools that work together to collect, ship, search, analyze, and visualize data. I was tasked with configuring a working stack using Elasticsearch, Kibana, and Winlogbeat.
Elasticsearch indexes and stores data; it’s the heart of the Elastic Stack. It is an open-source, powerful analytics and text search engine. It’s an extremely useful tool when trying to pull from a large amount of data to organize, filter, or analyze what you’ve collected. Kibana allows the user to visualize and analyze the data provided by Elasticsearch. It’s essentially an Elasticsearch dashboard interface where you have access to all the data you’ve collected. Beats are a collection of lightweight data shippers that are installed on endpoints and send data to Logstash or ElasticSearch. There are different types of Beats that collect different types of data. Winlogbeat runs as a Microsoft Windows service, collecting Windows Event Viewer logs and shipping them to ElasticSearch or Logstash.
Getting Familiar With the Programs
We first familiarized ourselves with Elastic by configuring a stack using their cloud. We then set up a Windows VM (virtual machine) and configured Winlogbeat to send the system’s Event logs to our Elastic Cloud. I set up dashboards in Kibana to view the logs, create alerts, and mess around with other capabilities of CloudStack, like machine learning anomaly detection. Once we had some exposure to Elastic, we needed to create and configure our own stacks. I set up ElasticSearch and Kibana on an Ubuntu VM, connected them, and configured Winlogbeat on my Windows VM to send Elasticsearch its log data.
My Experience
Over the course of the semester, I’ve greatly improved my confidence working inside Linux. It’s been a lot of configuring of the different components of the stack so that they work together. This was my first experience working with Elastic, so all of the ELK stack components were new to me. Luckily, I’ve had experience configuring other tools and systems on a network in the past. This has translated into my work in configuring Elasticsearch, Kibana, and Winlogbeat. I’ve run into some frustrating roadblocks along the way, but when I got everything working and saw logs populating my stack for the first time, it was a good feeling.
In the next phase, we are going to start learning how to analyze logs and alerts. I’m really looking forward to it because I have very limited experience analyzing logs and writing reports.
Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!
Written by Ryan Harvey ‘24 // Computer Networking & Cybersecurity