Following the discovery of Log4Shell, a vulnerability in Log4J2, Elastic released a blog post describing how users of our platform can leverage Elastic Security to help defend their networks. We also released an advisory detailing how Elastic products and users are impacted.
In this blog, we expand on these initial posts and highlight how the combination of security and observability solutions can provide deep visibility into the exploited vulnerability and arm security analysts with valuable data for root cause analysis.
Gaining the upper hand – combining Observability and Security data
Along with Elastic Security, we provide a comprehensive Observability suite within Kibana. Observability is primarily referring to the combination of application performance monitoring (APM), logs, and metrics — a traditionally untapped datasource in the world of security analytics and incident response.
Since Log4Shell is a vulnerability in Log4j2, a Java logging library, we will be using our Java APM agent to demonstrate what a vulnerable instrumented application produces if Log4Shell is exploited. Our vulnerable application will also be producing logs, which can be correlated with the data produced by APM. This is a feature known as correlated logs and traces.
Server setup: How are we collecting and shipping data?
We use the Elastic Agent to ship our system and application logs, system metrics, docker (podman) container metrics, and packet data. We’ll also use it to run Osquery and our endpoint security integration with malware protections enabled.
Our vulnerable Java application will be instrumented with the Elastic Java APM Agent.
Elastic Agent and the Java APM agent are both connected to an Elastic cluster running on our Elasticsearch Service