Elastic Releases New Security Suite Integrating SIEM with Endpoint Protection

MMS Founder
MMS Matt Campbell

Elastic recently released Elastic Endpoint Protection, a new feature for integrated security built upon Elastic’s acquisition of Endgame. With Endpoint, Elastic is combining their SIEM product and endpoint security into a single solution built on the Elastic stack.

Earlier this year, Elastic announced the addition of Elastic SIEM to their product suite. A SIEM (Security Information and Event Management) aggregates and analyzes log data from a variety of sources and attempts to identify threats and breaches. Braden Preston, director of product at Elastic and product lead for Endpoint, described the Endpoint product, in a conversation with InfoQ, as a “fully integrated vertical solution from SIEM to endpoint without the need for additional modules”.

Screenshot of Elastic's SIEM UI

Elastic’s SIEM showing a detailed view of anomalies (credit: Elastic)

Endpoint security refers to methods of protecting the corporate network when accessed via remote devices. Endgame’s endpoint protection product was originally built using the Elastic Stack to facilitate the parsing and analyzing of log data. As Preston explained, this made the partnership between Elastic and Endgame a logical fit. Nate Fick, former CEO of Endgame and now general manager of Elastic Security, elaborated:

Stopping attacks as early as possible is the goal. That requires the best preventions and the highest fidelity detections on the endpoint. The combination of Endgame’s leading endpoint protection technology with Elastic SIEM creates an interactive workspace for SecOps and threat hunting teams to stop attacks and protect their organizations.

As Preston explained, the Endpoint solution does not rely fully on third party sources to provide threat intelligence nor does it require a constant network connection for protection. With endpoint protection solutions, there are two main models. In the first model, lists of known threats and attack vectors are routinely downloaded to the remote machine. The endpoint software scans for threats that match the lists and blocks anything that matches.

Endpoint employs a different approach which Preston described as Attack Technique Focused. In this approach, the system analyzes for anomalies in real-time that match pre-described attack behaviours. Preston explains that while the attacks can change and be adapted, the techniques that are used during an attack are finite. As he described, this provides deeper protection as attack techniques cannot be changed polymorphically in the same way attack signatures can; as in the approach taken by polymorphic malware.

Endpoint takes a layered approach to endpoint security. With this release, Elastic has incorporated their machine learning models to process the data collected from the SIEM to the endpoint. Coupled with that, the endpoint protection has a machine learning malware protection model that works to stop malicious executables and macros. This is trained and delivered on a periodic interval. The final layer addresses OS level attacks and is updated on a regular basis, typically following critical OS updates.

According to Preston, the team is enhancing Endpoint’s prevention models that autonomously stop attacks to continuously protect endpoints without requiring additional modules or deployment complexity. While Endpoint already ships all its data in the new Elastic Common Schema, the team will continue making endpoint security a native experience in the Elastic Stack. Earlier this year, Elastic introduced their common schema as a means to provide a consistent way to structure data in Elasticsearch to streamline analysis of data from multiple sources.

Early reviews of Elastic’s SIEM offering have been fairly positive. Upguard compared Elasticsearch and Splunk and found that Elastic’s offering just beat out Splunk on criteria such as community support and learning curve. However, some reddit users called out that there is limited firewall support for the SIEM at this time, with support only for Palo Alto Networks and Cisco ASA.

Elastic’s Endpoint Security features are available under the Elastic License. As previously covered by InfoQ, this means that the features are available to users of Elastic’s open-source models or their SaaS offering, Elastic Cloud. However, users of AWS’s Open Distro for Elasticsearch or their fully-managed Elasticsearch Service offering will not have access to these new features.

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.