ELK Centralized Security Solution to Monitor and Secure Hybrid IT Infrastructure.

Saudi airline is based out of King Abdulaziz International Airport in Jeddah. It is owned by Saudi flag carrier Saudia founded in 2016. The airline currently serves domestic destination with considerable number of Airbus carriers. The venture is part of 2020 Transformation Strategy, which aims to elevate the group’s units into world-class status by 2020.

Citrus Consulting Services Empowers the Leading airlines with implementation of ELK Centralized Security Solution to monitor and secure their hybrid IT infrastructure.

• A solution to give insight into and a track record of the activities within their IT environment.
• Ability to analyze the log entries to identify signs of malicious activity.
• Meet compliance and Audit Requirements.
• An SIEM solution which can significantly increase the efficiency of incident handling, save your security professionals time and resources.

The Endpoint devices like WLAN Controller, Routers, Switches sends syslog to the centralized servers. Filebeat which is installed on the centralized server fetches the logs from the stored files and send it across to ELK Stack. We can also utilize the power of logstash to parse the data or simply use Filebeat modules to parse the data. Filebeat is also been used to fetch audit logs from Microsoft Exchange using the o365 Module.

Linux Servers are using metricbeat and auditbeat to send resource and audit trails to ELK Stack. Similarly, Windows are using Winlogbeat to ship the windows events to the stack.

ELK is running is a SAAS solution. Auditbeat and Metricbeat have been installed on Linux machines to send Audit related logs and metrics to ELK Stack. Since the VMs are deployed on cloud, we use the native cloud services/libraries to deploy these agents out whenever a new VM spins up. WinLogBeat has been installed on Windows to collect Security level Windows Events.

Cisco Devices and WLAN Controller are sending their logs via syslog to a centralized server. Logstash/Syslog-ng could be used to capture these logs. Filebeat agent installed on the syslog server is fetching the logs and parse using the standard modules. Use-case of using syslog-ng is when we need to send same logs to other solutions too.

While are using logstash, then we can capture the logs and define individual pipelines to parse the logs as per the requirements. We have deployed the filebeat on WLAN Controller to capture Access Point related logs. The filebeat can fetch the Access Point Logs stored and can send it directly to the ELK stack or to the logstash, in case we need to parse the logs.

Filebeat O365 module is used to fetch security and audit logs from o365:

• User.Read
• ActivityFeed.Read
• ActivityFeed.ReadDlp
• ServiceHealth.Read

The filebeat has been installed on the centralized server from where it queries the o365 cloud to retrieve the logs. Another way is to stand up an instance in the same environment where o365 is hosted and install the filebeat agent on the instance. For both approaches, we need to configure o365 to add an app and give required permissions so that filebeat can read the logs.

• Centralized logging system adhering the compliance standard followed by customer, providing real time insights and alert for threat and unusual activities in the environment.
• Integrated various Network device and Security Tools to create a centralized logging and Monitoring Center.
• Anomaly detection using Machine learning.
• Custom SIEM Detection Signals to cover security gaps.
• Advance watchers with conditions and transformations to remove false positives.
• Adhering to strict timelines to ensure smooth completion of the project.
• Ensuring 100% business continuity through 24/7 Managed Support Services by Citrus Consulting Services.