Wednesday 1st April 2020
Elastic User Group – Satisnet’s Experience!
- Tags: Elastic
As part of our commitment to the latest security trends and best-of-breed technologies, Satisnet strive to deliver exciting and valuable events to our fellow security community.
This blog post, produced by John Maton, one of our very own Cyber Security Analysts, details the recent Elastic User Group we hosted at Edinburgh Napier University, and sheds light on the hands-on experience for our Edinburgh-based team.
In the Satisnet Edinburgh office, we have been looking at Elasticsearch for Security, and for the past few months have taken things to the next level with use-case development and threat hunting.
Calum Finlayson and I have been working in Edinburgh for Satisnet since September 2018, having both begun the Graduate Apprenticeship program at Edinburgh Napier University at the same time, and both coming from non-security backgrounds. In September 2019, JJ Brown began working for Satisnet and joined the Edinburgh team. For Calum and me, this was perfect, as JJ had the industry knowledge and experience that we had been lacking.
On meetup.com the ‘Scotland Elastic Fantastics’ group has existed for the past 6 years – and been dormant for the past 4. Reaching out to Ben Warner, our local Elastic rep, we discovered this was because there was nobody able or willing to organise it. We thought an Elastic meetup would be a great way to share some of what we’ve learned about the Elastic Stack, learn from others, and bring more people on board, so we got in touch with Ben about organising it. We were given the go ahead, as well as the promise of a catering budget from Elastic, not to mention some highly coveted Elastic swag! All we needed to do was bring everything together. We set the date for the 16th January and published it to the meetup page.
Once we had the go ahead, we started looking at where to start with a presentation. We didn’t know what kind of audience we would get, so we opted for a more high-level overview, with the idea being that we could easily build on this at future meetups once we’d gauged interest and received feedback. We thought about what we would have liked to know from the start and what was foundational knowledge for using and maintaining an Elasticsearch cluster. Topics we covered were an overview of the Elastic Stack, overview of Elasticsearch, and a little about Elasticsearch cluster architecture. We also briefly went through how Elasticsearch could be installed. After preparing the content, we made sure to run through it a few times to iron out any hiccups and ensure we’d included everything we wanted to have.
Since Calum and I had been playing around with Elasticsearch installation and configuration for a while, we thought that would be a great place to start, as it would encourage newcomers to get started with their own instance, and also for those who had already had a go and given up to revisit it. We got our hands on a small test box and documented every stage of the installation process, including any likely pitfalls and issues we’d had in the past. We made use of the Elasticsearch documentation – a fantastic resource by the way – to keep us on track with recommendations and best practices from Elastic. We then decided on who would cover which sections and made sure we were comfortable with going through all the steps and speaking to each slide.
Bringing It Together
With our presentation and demo taking shape, it was time to spread the word. We got in touch with marketing, who were happy to put together a page advertising the meetup. Edinburgh Napier University were happy to give us the use of The Glassroom to host the event and Elastic kindly offered us a budget for food and drink for the evening. We made sure to stock up on plenty beer and soft drinks and ordered plenty of delicious pizzas from Pizza Geeks. Being part-time students, Calum and I were also in a great position to get some support from the Security Society at Napier, ENUSEC. We arranged to drop in and plug the meetup at the start of one of the meetings and were encouraged by the interest as well as a few sign-ups on the meetup page afterwards. JJ kept active on the meetup page and on LinkedIn, and also reached out to the Edinburgh Cybersecurity Slack channel.
We got to the Glassroom early and set up for our presentation. We had almost 40 people signed up and were expecting approximately 50% turnout on the night. Rain and wind dampened our hopes a little, but people kept on arriving. We tried to greet people as they arrived, but inevitably got caught up with chatting to folks who had arrived early. By the start, we had almost 30 people, which we thought was a great turnout, especially for the first event. Our pizza arrived on time and was an instant hit – thanks Pizza Geeks! Most people had plenty of time to network and grab some beer and pizza before JJ formally opened the meetup and introduced Craig Finnan as the first speaker. Craig, Lead Security Engineer at DFID, delivered an interesting and informative talk around his experience building a SIEM from Elasticsearch. He talked about some of the challenges he’d faced and what had been helpful for him along the way and had valuable insights on the Elastic training and some architectural challenges.
After Craig’s talk, Calum and I were up next. Having ran through our presentation a few times, we knew what we wanted to say, and all went smoothly. The following demo also went according to plan, and everything worked as intended – not always a guarantee! Following the demo, everyone was quick to polish off the remaining pizza and grab an extra beer, and most folks stayed around and chatted for a good while.
What We Learned
Organising the Elastic meetup was a great experience for us. Starting with a relatively blank canvas and producing content, bringing everything together, and seeing it through to the evening itself was particularly rewarding – it’s not often you get to be involved at every stage of a project from inception to completion. The important part was that we learned a lot along the way. Research and preparation for the presentation and demo was a useful way of consolidating what we already knew. Getting some public speaking experience is always going to be valuable whatever we do next, and given how much we enjoyed it, we are keen to do more, both at future meetups and in other settings as well.
We were keen to get some feedback from our attendees, so we made sure to stay around and get people’s thoughts after the talks. All the feedback we got on the night was positive and encouraging, but we thought we’d follow up with an anonymous survey anyway. Again, feedback was positive, and we noted a comment that not everyone had been met on arrival – something to be more aware of next time!
From the feedback we got, we are keen to build on what has been a very promising start for the Elastic User Group in Edinburgh. We hope that by Satisnet leading the charge, others will be encouraged to contribute their experience with Elastic, and, by sharing knowledge and experience, the whole community can grow.
In future meetups we’d like to start delving more into Kibana and how it can be used for visualisations and dashboarding, as well as more advanced uses like threat hunting. For this, we’d be keen to try a more workshop style approach with everyone following along on their own laptops. Other topics that would be great to cover are log ingestion, mappings, index lifecycle management and other architectural topics. This would be driven by feedback from attendees – we want to cover stuff that’s interesting and valuable to the community. If you’d like to get in touch about anything you’d like to see or if you’re interested in attending or contributing, don’t hesitate to get in touch over at the meetup page: