How Orange Business Services is building a better SIEM with Elastic

I’m a security analyst at Orange Business Services in Paris, and one of my current projects for the Orange Group is implementing a new SIEM based on the Elastic Stack. In this blog post, I’ll share why we chose Elastic and how we were able to integrate Elastic into our existing SIEM, resulting in faster investigations and saving our engineers’ time. So follow along: Orange Group is a multi-service network operator and digital service provider in 26 countries and serves about 253 million customers with 147,000 employees. Orange Business Services, the unit dedicated to businesses and organizations, focuses on digital services. From connectivity, the Internet of Things (IoT), and the cloud to artificial intelligence (AI), application development, and cybersecurity, Orange Business Services works with its clients to harness the true value of their data, helping them every step of the way. Integrating the Elastic Stack into our SIEM strategyThe Orange International Network Infrastructure (OINIS) department, which is in charge of building the Orange group’s international network, identified the need for a modern security monitoring solution capable of keeping up with the constant changes in the fast-paced world of security. As a result, two of our departments recently decided to collaborate on redesigning and modernizing the Orange Business Services SIEM infrastructure, which has been dubbed “EYES.” The key criteria for selecting our new solution were speed, simplicity of data integration, and better visualization tools. Elastic had piqued our interest as early as 2018. We were finally convinced to take the plunge with Elastic after the ElasticON Tour Toronto and hearing the feedback from the security team at Bell Canada (before Elastic introduced its own turnkey SIEM solution, which we will be rolling out soon). Finding themselves in a similar situation to our own, the team at Bell Canada had quickly taken the initiative of completely replacing their SIEM with the Elastic Stack, which was capable of ingesting all of their security logs, automatically detecting threats, and standardizing the format of their logs. We were also interested in Elastic’s machine learning features, which promised to help us modernize our SIEM approach. We decided to implement the Elastic Stack for a functional proof of concept (POC) in less than three months. However, we took a slightly different approach than Bell Canada, in that our SIEM solution is still being used for its correlation engine. Following our three-month-long POC, we copied all our logs into the new infrastructure and enabled the Elastic Stack’s security features to protect access to our clusters. We started by learning to use the Elastic Stack ourselves; we were able to find all the necessary information to get started on the Elastic blog. Later on, we started working closely with the teams at Elastic in order to roll out new features. Elastic’s Support team has always proven to be very responsive, whether we came to them with application debugging questions or requests for advice on integration, or even our security architecture. Our infrastructure evolved very quickly as a result:

We separated the Dev, Preprod, and Prod environments, allowing us to quickly test the new features offered by Elastic and determine whether we wanted to go into production with them.
Logstash also quickly went from a simple parsing tool to an essential tool for enriching our logs. 

https://www.elastic.co/blog/how-orange-business-services-is-building-a-better-siem-with-elastic