The Elasticsearch SIEM Architecture of a Nonprofit: Security at The Nature Conservancy
Editor's Note (May 17, 2017): The Nature Conservancy team was honored with a CSO50 award for the work they presented at Elastic{ON}. The award recognizes projects and initiatives that demonstrate outstanding business value and thought leadership.
With 4,000 employees distributed across 70 countries, Nick Waringa and Daniel Shirer of The Nature Conservancy (TNC) are not scientists. They are information technology and security experts, who spend their days thinking about ways to effectively understand the activity happening across their networks and systems.
They presented how they're finding success with Elastic products at Elastic{ON} 2017.
TNC is a science-driven organization dedicated to conservation efforts worldwide, Waringa explained, all of which generate a multitude of data. And while data about endangered flying squirrels, fishery management, forest conservation, and strip mining plans might inform a relatively low risk profile for TNC, data about donations, donors, and protected land certainly increases it.
With offices and outposts all around the world, often in areas with low bandwidth and limited or satellite connectivity, Waringa and Shirer’s challenge is growing. “We have over 200 field offices on-WAN, we have 250 offices that are off-WAN, and we have 533 home offices,” explained Waringa. And with limitations around centralization, directory services, and domain management, “How do you tie a user to a computer and understand the behaviors going on?” Waringa asked.
From users unknowingly accessing a bad host to attacks on their network or even data exfiltration, Waringa and Shirer are tasked with protecting TNC’s sensitive information.
With a background in SIEM, Waringa has seen his fair share of security vendor solutions. “They would bring in a lot of resources that were generalized, but they would not help you understand your network at the end of the day.” And that’s ultimately their goal: a complete and relevant picture of what was happening — from network paths and creation to client behavior.
That’s where Elastic Stack, X-Pack, and Elastic support services offered them capabilities and flexibility they were looking for.
Shirer described the architecture for their network security sensors in their field offices. Each is running Snort (for threat intelligence) and Bro IDS (their network flight recorder), Shirer explained. “[Bro is] identifying different types of data out of the network stream like HTTP, DNS, DHTTP — any files it finds, flying squirrel data, you name it,” he said.
That data is then shipped by combination of Filebeat, Metricbeat, and a community beat called Unifiedbeat, which handles Snort Unified 2 logging, to Logstash for pre-processing before reaching Elasticsearch and Kibana for analysis and visualization. They use a similar flow for some of their syslog sources.
Shirer dove deeper into their hardware and software design decisions — including their use of consumer gaming hardware — and how they configured it for their distributed and remote workforce. He highlighted their use of the Logstash sleep, translate, and dissect plugins, in addition to their use of Kibana heatmaps.
A happy outcome to their work, Waringa noted, is a strengthening of their relationship with the operations team, which is interested in adding their data to the Elastic Stack. It opens up valuable opportunities with operational metrics for both teams. “It gives us security visibility and context,” Waringa explained. “It also gives the security guys the logs they need and...the operations guys what they’re looking for.”
Waringa closed with possibilities for expanding their use of the Elastic Stack. “We have tons of data that’s not IT, ‘geeky data’ that we could be doing things with,” he said. With preserves all over the world, could TNC deploy sensors into the field and collect the data that’s relayed via drone flybys into Elastic? Could they do micro-level climate change monitoring on a scale not seen before? Could they improve other aspects of the business and use X-Pack machine learning features to help better inform TNC spending decisions?
“Why not?” Waringa said. “Elastic is a great place for that.”
Watch the full presentation from Elastic{ON}. (And explore other sessions from our 2017 user conference.)
Banner image from Chris Bambrick on Flickr.