peshkova - Fotolia

Elastic SIEM spring release will complete Endgame tie-in

Endgame agents can now send endpoint security data to the Elastic SIEM, but UI and data schema integration -- and the ability to take action on endpoints -- will come next year.

Elastic Inc. is preparing another shot across the bow of IT monitoring and analytics competitor Splunk with the integration of endpoint security features it plans to complete in the next six months.

The Elastic SIEM will add initial integration with software from Endgame, the endpoint security firm Elastic acquired in June, in a release that will be available Nov. 1. This initial integration will pull Endgame telemetry into the Elastic back end, where it can be visualized alongside the rest of an organization's information from Logstash, Beats and other data collectors, via Kibana.

In the next release, endpoint security data will be displayed in the Elastic SIEM user interface, and will be covered by the Elastic Common Schema, a specification that adds consistency to data collected from various sources. Users will also be able to take enforcement action on endpoints through the SIEM UI in the later release, such as isolating an infected host, killing a suspicious application process, or removing an attacker from a system.

Sebastian Mill, CTO of global development, InfoTrackSebastian Mill

The Elastic SIEM, available since June, appeals to Elastic Stack users who want a centralized monitoring, logging and data visualization platform for various types of data, whether for infrastructure and application performance monitoring or security operations. This convergence of data monitoring tool sets reflects a convergence between security and IT operations teams under DevOps.

"We have over 100 developers across three countries," said Sebastian Mill, CTO of global development at InfoTrack, a legal practice software maker based in Australia, with offices in the U.K. and U.S. "All of them can log in and see how their app is performing, and Elastic makes it easier for us to provide security to our DevOps teams as well."

Security monitoring is particularly complex in a geographically distributed infrastructure where hundreds of millions of logs are collected from systems on a daily basis. InfoTrack, which uses the Elastic SIEM, plans to add endpoint security integration when it becomes available, and use Elastic's machine learning tools to refine security analysis on its data.

It's ... really interesting to us that we cannot just alert and monitor, but also take action, and [avoid] alert fatigue from various different tools.
Sebastian MillCTO of global development, InfoTrack

"With endpoints, the number of assets will increase exponentially," Mill said. "It's also really interesting to us that we cannot just alert and monitor, but also take action, and [avoid] alert fatigue from various different tools."

Endgame helps Elastic catch up with its chief competitor, Splunk, which already offers endpoint security monitoring and enforcement features in its Enterprise Security product. So far, the Elastic SIEM's chief appeal for enterprise users has been cost, as the SIEM product is not licensed separately from Elastic Stack, and Elastic has typically charged less for data collection and retention than Splunk, although Splunk introduced new pricing models, including $10,000 "Rapid Adoption" packages, last month.

Elastic SIEM users wary of endpoint security costs

Elastic also plans to take a competitive approach to cost with endpoint security in the Elastic SIEM, though some enterprise users are more concerned about how data collection costs and network bandwidth demands will shake out with many more endpoint assets to monitor. endpoints are any devices attached to a network, which also includes laptops, desktops and even API endpoints on servers.

"It becomes very interesting to see how much data will be sent into Elastic, where Elastic will ultimately make its money, and how much will stay on the client," said John Gerber, principal cybersecurity analyst at Reston, Va., systems integrator SAIC, who has worked as a dedicated consultant at Elastic customer Oak Ridge National Laboratory (ORNL) since 2001.

"One has to question [the] balance of keeping [data] local and calculating at the endpoint, versus sending [it] to the central log area for analysis, and how that model will be affected by Elastic's pricing," he said. "It will be interesting to see what develops as Endgame and Elastic work these issues out."

Endgame's agent can store data locally on the endpoint when it is disconnected and then stream it back to the Elastic Stack when a network connection is available, which organizations can use to optimize bandwidth, Elastic officials said.

The Elastic Common Schema also does some pre-analysis of data before it's ingested, which eases some of the performance requirements for ingestion into the central data repository and analysis once it's there. Users also have a choice about whether they attach endpoints to the Elastic SIEM if they are concerned about data collection and storage costs.

On the licensing front, as of its Nov. 1 release, Elastic will not charge separately for Endgame for users of its Elastic Enterprise license. Users of this license level will get Endgame agents with no additional fee.

However, ORNL's Gerber said he believes Endgame will require a license upgrade for his organization to Elastic Enterprise from Elastic Stack Platinum.

"Organizations will need to decide if they switch their license completely to Enterprise, split their licenses, or stay with [a lower] license while they wait for their current endpoint protection license to expire and Endgame to get integrated in Elastic," he said.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center