Black Hat Europe Elastic, the biz behind open-source search engine stack Elasticsearch, has launched its own SIEM – a somewhat counterintuitive thing to do, you'd think, until you look at how many others are using Elasticsearch for lucrative security products.
For those not in the know, SIEM is short for Security Information and Event Management: a fancy term for keeping tabs on all sorts of alerts and warnings of suspicious network activity, drawing data from various sources and presenting it in a manageable form.
Building on its recent declaration that its ECK tool is the official search function for Elasticsearch on Kubernetes, Elastic wants to recapture market ground from others profiting from its open-source tool.
They're a bit coy about it, though. The global biz's James Spiteri told The Register at Black Hat Europe that this was all about offering customers a better choice of integrated tools, with eating a slice of the pies being baked by others on its Elasticsearch tool as a very distant second priority. Of course.
"How many tools were built on Elasticsearch was really the main driver," said Spiteri. Talking of various security logging, log-storing and log-trawling tools available on the market today, he added: "No longer do you have to have separate vendors for those technologies… they work fantastically together immediately as of today [on Elasticsearch's SIEM] which is nice. Apart from that, our open-source nature gives us a lot of trust in the community."
For comparison, Gartner lists no fewer than 44 SIEMs. This is a market that is, as an industry veteran commented to El Reg earlier this year, ripe for consolidation. Yet Elastic is pushing on.
Elastic bought out endpoint security vendor Endgame earlier this year, whose tech was (in part) built on Elasticsearch. The company is now integrating Endgame's tech with its SIEM, which has been dangled before prospective customers since June this year.
"If you think about it," Spiteri mused, "the security industry is a search problem… it's about being able to have an urgent conversation about your data. We never expected to go into [the field of security products] but we just did. It was evident; if you see the amount of open-source downloads built on top of Elasticsearch, it spoke for itself."
Around 200 people make up Elastic's security division, most of whom were acquired along with Endgame. Spiteri said the company aims to bulk out its malware detection capabilities and start looking at fresh data sources and threat intelligence providers, though he admitted they haven't picked any just yet.
"Over next few months we're going to cover everything that's missing. Threat intelligence, correlation stuff, we're looking to rapidly add those features. We just want to make sure it's done properly."
Elastic does have a modest security pedigree to point at. Cisco and Palo Alto Networks have both adopted its Elastic Common Schema ("a standardised set of field names," as Spiteri explained) for ingesting security data into Elasticsearch for later crunching. Having two industry big dogs using both the underlying tech and Elastic's preferred method of using it certainly won't hurt.
Whether Elastic will continue picking fights with AWS's definitely-not-a-fork of Elasticsearch remains to be seen. Indeed, whether the firm will prosper in the busy security market also remains to be seen. ®