I had the opportunity to write a Thesis for my Security Masters Program at the University of Houston (Program Website here for those interested). It was a long, but fun experience that allowed me to put my research skills to use, and pushed me to implement the ELK Stack as a potential SIEM replacement solution. I hope you find this helpful or at least get some ideas out of it to implement it at your organization.
Organizations of all sizes are fighting the same security battles while attackers keep changing the threat landscape by developing new tools and targeting victim endpoints; however, their attack kill chain along with motives have not changed, as their attacks initialize the same way and their end goal is usually data exfiltration of Intellectual property, or credit card information. This thesis proposes and evaluates The Elasticsearch Stack solution (ELK), an enterprise-grade logging repository and search engine to provide active threat hunting in a Windows enterprise environment. The initial phases of this thesis focus on the data quality, unsupervised machine learning, and newly developed attack frameworks such as MITRE’s (ATT&CK) as prerequisites to developing the proposed solution. Lastly, by using publicly known Attack Kill Chain methodologies such as Mandiant’s, several attack use cases were developed and tested against the ELK stack to ensure that logging was adequate to cover most attack vectors.
Again, thanks for reading, and let me know if you have any questions.