kibana VS elasticsearch-mapper-attachments

As you might have guessed, I spend a lot of time thinking about application security - almost every day, in fact. At my day job, I'm constantly pondering how to enhance Kibana's security in a scalable manner without overburdening my already hardworking team. Outside of work, I'm equally dedicated to making Secutils.dev even more valuable to fellow engineers looking for better security tools.

These newsletters are among the best sources to stay up-to-date with the latest happenings in JavaScript, web development, and Node.js. They conveniently categorize content into sections like new releases, articles & tutorials, and code & tools. Since I use JavaScript/TypeScript and Node.js extensively, both in my day job and for Secutils.dev, I have to stay informed about developments in these essential tools. Usually, I quickly scan through the newsletter and focus only on the items that grab my attention — it doesn't consume much time but keeps me well-informed.

This is the second part of my reflection sparked by the recent “2023 State of Open Source Security” report from Snyk. It got me thinking about the price we pay for false positives in software security. In my previous post, “The Cost of False Positives in Software Security, Part 1: Small Applications”, I talked about how true and false positives affect smaller applications like Secutils.dev. Now, I want to take the same idea and apply it to a much larger software that’s a big part of my daily work: Kibana.

False positives in security are something that really bothers me, as I happen to work on security for both large applications like Kibana, with hundreds of contributors, and smaller ones like Secutils.dev, where I'm the sole developer.

The increasing complexity of modern systems led to the rise of AIOps (Artificial Intelligence for IT Operations) and observability practices. AIOps leveraged machine learning algorithms to automate problem detection, analysis, and resolution. Observability focused on gaining insights into system behaviour through metrics, logs, and traces. As a result, tools like Prometheus, Grafana, and ELK stack (Elasticsearch, Logstash, Kibana) gained popularity.

There was a discussion on Elastic's Github quite a while ago: https://github.com/elastic/kibana/issues/88956 but I haven't found any related documentation on Elastic's website.

ahh good catch here, I have raised a FR to get this added to Kibana https://github.com/elastic/kibana/issues/157348

Elasticsearch - www.elastic.co/

The increasing complexity of modern systems led to the rise of AIOps (Artificial Intelligence for IT Operations) and observability practices. AIOps leveraged machine learning algorithms to automate problem detection, analysis, and resolution. Observability focused on gaining insights into system behaviour through metrics, logs, and traces. As a result, tools like Prometheus, Grafana, and ELK stack (Elasticsearch, Logstash, Kibana) gained popularity.

My only experience with NetFlow collection is on my home firewall/router running pfSense Community Edition, which is free to download and can be installed on a wide assortment of X86 hardware. I installed the Softflowd package, which exports NetFlow data to a dedicated Elasticsearch/Logstash/Kibana (ELK) server on my LAN. I believe Security Onion and ElastiFlow also can be NetFlow collectors.

Elasticsearch, Logstash, and Kibana (ELK) Stack: An open source suite of tools for log management and analysis, providing real-time insights into security events.

Recently I have taken an interest in big data. https://neo4j.com/ , https://cassandra.apache.org/ , https://clickhouse.com/, https://www.elastic.co/ - are all databases I have experience with. Neo4j and Cassandra only as a hobby, but Clickhouse I have used in production, and Elasticsearch I have used for some 7 years now.

Buy an enterprise-class, wired router like the Negate 2100 ($349 USD), which runs pfSense, and configure the Deco AXE5400 device(s) to operate in Access Point Mode. Then install the Softflowd package through the pfSense web UI. Softflowd will collect and export NetFlow data to a NefFlow collector, which is the separate computer/VM/container referred to above, running software like Security Onion, ElastiFlow, or Elasticsearch/Logstash/Kibana (ELK).

If you’re unaware, elastic search is some like enterprise level search shit. They just put it in a theme. https://www.elastic.co

systemctl status kibana ● kibana.service - Kibana Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-03-28 09:40:05 UTC; 33min ago Docs: https://www.elastic.co Main PID: 3168 (node) Tasks: 11 (limit: 9432) Memory: 303.3M CPU: 35.190s CGroup: /system.slice/kibana.service └─3168 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid "--deprecation.skip_deprecated_settings[0]=logging.dest" Mar 28 09:40:05 wazuh systemd[1]: Started Kibana.