Elastic SIEM gains interest from former Splunk users, with the promise of cost savings and the prospect of centralized security analytics and IT monitoring data repositories.
IT pros plan to combine IT ops and security analytics data, along with ops and security monitoring and incident response workflows, using a new SIEM app that standardizes data schemas and undercuts competitors on price and capabilities.
The Elastic stack isn't a total newcomer to the security information and event management (SIEM) market -- many enterprise IT shops use Elasticsearch, Logstash and Kibana software to ingest and analyze security data through user-created interfaces. But the Elastic Inc. SIEM tool, released last week, packages security analytics functions into the same Kibana-based interface as those it offers for IT monitoring.
The Elastic SIEM interface displays alerts based on rules users set for security analytics results, and security pros can investigate those alerts through the UI with click-and-drag features. Integrations with Palo Alto and Cisco firewalls support ingestion of their data into security analytics repositories, and further such integrations will follow in future releases, according to Elastic.
"People have been asking for a SecOps workflow in Kibana," said Mike Paquette, director of security products at Elastic Inc., based in Mountain View, Calif. "This makes it easier to create those workflows for incident responders."
The Elastic SIEM follows log analytics competitor Splunk and Elasticsearch cloud service competitor AWS into the security analytics market, but Elastic shops say the tool will create fierce competition for Splunk on price and AWS on UI features. The Amazon Elasticsearch service advertises support for security analytics data and built-in Kibana integration with its hosted Elasticsearch repositories, but does not advertise specific SIEM workflow features.
Splunk Enterprise Security, a separately licensed SIEM application for users of the Splunk Enterprise platform, has been generally available for more than three years. Its customers include Nasdaq, ASICS, PCSU and Aflac. Splunk also has security orchestration and end-user behavior analytics applications.
Elastic SIEM includes click-and-drag workflows for SecOps.
However, some former Splunk shops are willing to wait for Elastic SIEM features, because the price is right. Splunk's list pricing starts at $150 per gigabyte, per day, with volume discounts for larger amounts of data. Splunk Enterprise Security requires Splunk Enterprise and can't be purchased as a stand-alone product. But users must license Splunk Enterprise Security separately and also pay separately for Enterprise Security data indexing.
All of that added up for Oak Ridge National Lab (ORNL), which phased out its Splunk implementation in favor of Elastic over the last three years.
"We were paying for 600 [GB] to 700 GB per day with Splunk, which meant we were lousy co-workers to our IT group, because we had to tell them, 'Send us this field, not that field,' and limit the data ingestion severely," said John Gerber, principal cybersecurity analyst at Reston, Va., systems integrator SAIC, who has worked as a dedicated consultant at ORNL since 2001. "If we went beyond our monthly limit more than three times in a month, we would lose access to our data unless we called a Splunk sales rep."
ORNL started working with Elastic in 2014, and by two months ago phased out Splunk completely for security analytics data ingestion, which it managed with an in-house interface. Gerber estimated ORNL pays Elastic less than half the yearly cost for 1.2 TB of data ingestion per day that it paid for 600 GB to 700 GB per day of Splunk data ingestion. It also doesn't have to pay separately for Elastic data stored in its development environment.
More data, more useful info
Where does security data end? Anything abnormal can be a security issue, and IT ops may see things the security staff doesn't recognize as a problem.
John GerberPrincipal cybersecurity analyst, SAIC
The ability to store more data is key to get a complete picture of the IT environment for ORNL, which will make Elastic SIEM available to its IT ops groups, along with security engineers.
"Where does security data end?" Gerber said. "We recently caught a security issue because of higher-than-normal CPU utilization. Anything abnormal can be a security issue, and IT ops may see things the security staff doesn't recognize as a problem."
Another Elastic customer, KeyBank, has primarily used the Elastic Stack as a tool to feed AIOps data to Moogsoft. It too plans to test the Elastic SIEM, in part, because Elastic SIEM data is stored using the Elastic Common Schema, introduced earlier this year, which could standardize the data format for IT ops and security data. KeyBank, like ORNL, found it a cheaper alternative to Splunk, but must also weigh the cost of security data ingestion.
"Elastic isn't free. In addition to licensing, we have to buy the infrastructure to support security data," said Mick Miller, senior DevOps architect at the financial services company in Cleveland. "But a unified monitoring platform that locks everything down into one schema is what really excites me."
Elastic SIEM awaits Endgame
Both Gerber and Miller said the most intriguing feature of the Elastic SIEM has yet to be delivered -- its integration with Endgame, an endpoint security company Elastic Inc. said it would acquire in early June 2019. That acquisition hasn't yet closed, and Elastic is tight-lipped about its plans to combine Endgame with Elastic SIEM, but users see the writing on the wall.
"Our security team already knows Endgame," Miller said. "We had been looking at other SIEM products with Elasticsearch on the back end, but Endgame is very compelling."
ORNL's Gerber echoed Miller's sentiment that Elastic SIEM is a start, but Endgame integration is the true long-term appeal for the app.
"Endpoint logs and threat detection capabilities end up being essential to security, as well," Gerber said. "Endgame would take that a step further with next-generation malware detection."
