Episode 5 – Elasticsearch Data Leaks: Top 5 Prevention Steps

For this week’s episode, Shankar discussed Elasticsearch data leaks with Simone Scarduzio, Project Lead at ReadOnlyREST, a security plugin for Elasticsearch and Kibana. Before we jump into the interview on how you can prevent an Elasticsearch data leak, here is some context on why this topic is especially relevant today.

[video_embed video=”N5F79BHgTiI” parameters=”” mp4=”” ogv=”” placeholder=”” width=”700″ height=”400″]

Recent Elasticsearch Data Leaks

There were three instances of massive data leaks involving Elasticsearch databases just in the week prior to our interview with Simone. 

  1. An Elasticsearch database containing the records of 2.5 million customers of Yves Rocher, a cosmetics company, was found unsecured. 
  2. A database containing the personal data of the entire population of Ecuador (16.6 million people) was found unsecured. 
  3. An Elasticsearch database containing personally identifiable information linked to 198 million car buyer records was found unsecured.

The frequent occurrence of Elasticsearch database data leaks raises the question, “How can we prevent a data leak in Elasticsearch data stores?” For the answer, we interviewed an Elasticsearch security expert and asked his opinion on the top 5 data leak prevention techniques.

What are the Root Causes of These Data Leaks?

The common theme among these different data leaks regarding what caused them was related to the outsourcing contracts. Contracts should not only include the functional requirement but should also include a security requirement. The good thing is that solutions already exist and they are free. 

If you think about Amazon Elasticsearch Service, it’s very cheap and convenient. However, you can’t install any plugin in Amazon because it’s blocked. So a developer will just find a way around this problem without a viable security plugin, which ultimately leaves the database vulnerable. So a lot of the issue has to do with how Amazon built the Amazon Elasticsearch Service. They split the responsibility for security between the user and the infrastructure manager, which is them (Amazon), so Amazon is not contractually liable for the problems that arise regarding security.

Amazon allows anyone to open up an Elasticsearch cluster without any warning. Simone says he “does not agree with this practice. Amazon should either avoid it or have a very big warning” so that data leaks like the three recent ones can be avoided.

Another problem is that the companies that had these clusters exposed had a massive amount of data accumulated, and Simone says that “even if it was secure, it is not a good practice and the entities that created the GDPR would not agree with the practice” of holding that much data in such a way. It is almost like they were inviting a data breach.

5 Ways To Prevent An Elasticsearch Data Leak

Represents caution on the internet or on a computer because of Elasticsearch data leak potential.

If you have an Elasticsearch cluster and want to keep it protected follow these rules:

  1. Remember that data accumulation is a liability and you should only collect what is necessary at all times. Every piece of data should have an expiration date. 
  2. Every company from the minute they obtain user data should accept the responsibility it comes with and should center their attention on the importance of data handling and data management. Outsource access to the data less, but keep all of the different objectives of the different actors in line at all times.
  3. Use security plugins. When you accumulate data, the security layer should be as close as possible to the data itself.
  4. Use encryption on the http interface and between the Elasticsearch nodes for next-level security.
  5. Rigorously implement local data regulations and laws like the GDPR in the European Union. 

If you are looking to increase the security for your elasticsearch cluster, using a security plugin is a great security measure to start with and can help you prevent a data leak from exposing your clients’ data. Learn more about ReadOnlyREST’s security plugin for Elasticsearch and Kibana here.

The Infralytics Show

Thanks for reading our article and tuning in to episode 5 of the Infralytics show. We have a great show planned for next week as well, so be sure to come back! Interested in checking out your past episodes? Here’s a link to episode 4.

Episode 4 – Let’s Go Phishing for Ransomware

Shankar Radhakrishnan, Founder of Skedler, recently sat down with the CEO of TCE Strategy, Bryce Austin, who is a Cyber Security Expert and Professional Speaker as well as the author of the book Secure Enough? 20 Questions on Cybersecurity. The topic of the discussion, phishing for ransomware, is incredibly important as many organizations and individuals around the world are exposed to the perils of phishing and ransomware attacks daily. Bryce was able to detail why hackers target individual accounts and what best practices organizations can employ to proactively mitigate attacks or handle the fallout after a phishing and ransomware attack. 

[video_embed video=”I5ys5nOowTo” parameters=”” mp4=”” ogv=”” placeholder=”” width=”700″ height=”400″]

Top Phishing Scenarios That Organizations Face

A recent report found that 64% of organizations have experienced a phishing attack in the past year. Research by IBM reveals that 59% of ransomware attacks originate with phishing emails and a remarkable 91% of all malware is delivered by email. This tells us that more users are seeing attacks, but since they are not trained in how to spot or handle them, they become a victim of them. With the volume and variety of phishing attacks on the rise, many organizations are struggling to keep up with the barrage of ransomware attacks that are constantly hitting their networks.

In order to combat these terrible attacks, we must first understand what they are and what their purpose is. Bryce explains that “phishing comes in many forms. It can be a vague email. It could be from someone you know. It could be from someone you know who says ‘I thought you might find this link interesting,’ and it tries to get you to click on a weblink.” Bryce goes on to detail how “it could [also] state ‘please see the file for the next, new, exciting thing in technology.’ Something vague and nondescript.” This is an incredibly important aspect of these attacks since many people open emails that interest them, even if they don’t know the sender. Once the individual clicks through, the hacker has everything they need in order to obtain remote access to the user’s desktop or copy their address book to carry out a phishing attack of epic proportions.

Phishing attacks

Best Practices For Safeguarding Your Company From Phishing Attacks

First and foremost, cybercriminals are interested in money. If they think that there is a reasonable chance of them getting money from a user or company, they will try. This is why, Bryce explains that “one of the biggest things you can do is to have cybersecurity awareness training for yourself and for anyone in your company.” In essence, Bryce tells us that, “Cybersecurity awareness training is cybersecurity 101. It’s the basics of what these phishing scams look like. That is far and above the #1 way to prevent it.”

Too often, employees aren’t familiar with the signs of ransomware and therefore make their companies vulnerable to attacks. This is why, to mitigate the risk of a phishing or ransomware attack, it’s imperative to provide regular and mandatory cyber security training to ensure all employees can spot and avoid a potential phishing scam in their inbox. You also need to look into endpoint detection and ensure that you have built a really strong security posture. This will give everyone from your frontline employees to your executives the tools they need to successfully squash a phishing attack in its tracks before it becomes a catastrophe.

Best Practices to Safeguard Phishing Attacks

Best Practices For Post-Phishing Attacks

If a threat actor successfully phishes an employee, it can provide them with access to the company’s entire network of resources. Bryce explains that “if a phishing attack is successful, it inherits whatever abilities the user has.” This means that a single phishing attack can provide a hacker with access to the organization’s sensitive financial and intellectual property data which can be devastating.

To combat the spread of a phishing attack once it has already made its way into your network, Bryce explains that a huge mitigating step is to “proactively remove local administrator rights so that users don’t log in as a local admin at the company.” This is similar to throwing sand on a roaring fire pit. It doesn’t undo what has already happened, but it can keep the damage from getting out of hand.

Don’t forget to subscribe and review us because we want to help others like you improve their IT operations, security operations and streamline business operations. If you want to learn more about Skedler and how we can help you just go to Skedler.com where you’ll find tons of information on Kibana, Grafana, and Elastic Stack reporting. You can also download a free 21 day trial at skedler.com/download so you can see how it all works. Thanks for joining. We hope you will tune in to our next episode!

Episode 3 – Are Today’s SOC Ready to Handle Emerging Cyber Threats?

Shankar Radhakrishnan, Founder of Skedler, recently sat down with the Director of Security Operations at Rocus Networks aka Corvid Cyber Defense, John Britton to discuss the top cyber threats that businesses face and if Security Operations Centers (SOCs) are prepared to handle them. John was able to provide a wealth of knowledge on these specific talking points and give us a higher level view of how cyber threats have evolved. Without further ado, let’s review the top cyber threats that plague businesses and if SOCs are up to the task of combatting these threats before they become an issue.

[video_embed video=”eKMmycRGMRY” parameters=”” mp4=”” ogv=”” placeholder=”” width=”700″ height=”400″]

Today’s Top Cyber Threats  

While small and midsized businesses are increasingly targets for cybercriminals, companies are struggling to devote enough resources to protect their technology from attack. John describes how “5 or 6 years ago, if someone wanted to go steal some money, they would go to a bank,” John goes on to explain that “today, the way that the internet has connected everybody and all businesses are now operationalized to be ‘always on,’ every organization is targetable.” These small businesses don’t have access to a large information technology staff and many don’t have expensive, sophisticated software designed to monitor their systems. This leaves them literally defenseless against these types of cyber-attacks.

John tells us that “the biggest thing that really affects any organization is the people because people make mistakes and they can be manipulated out of things.” This why being aware of the tactics and methods used by hackers implementing social engineering attacks and applying them to our everyday lives is the key to a solid defense. As more organizations experience these types of attacks, more will become aware of ways to internally combat them; in the meantime, it’s best to look to the guidance of an SOC to help you keep the ship afloat in rocky cyber waters. 

What Techniques are Hackers Using?

A recent Ponemon Institute-Keeper report showed that 66% of organizations surveyed have experienced a breach within the last 12 months. Since businesses are still proving to be vulnerable to cyberattacks, it’s clear that more needs to be done so they adapt to a fast-moving and ever-increasing threat landscape. In their quest to achieve this goal, businesses are continuing to invest in their IT security and systems.

John explains that “we find that, at least this year, that the biggest threat to any organization is social engineering.” One eye-opening statistic to understand is that 64% of companies have experienced web-based attacks with 62% experiencing phishing & social engineering attacks.  Social engineering attacks are especially dangerous because all it takes is one weak link in an organization to initiate a damaging event. Companies need to remain vigilant when it comes to cybersecurity, because social engineering is only going to get more sophisticated in the future.

Are SOCs Prepared to Handle These Threats? 

SMBs have continued to embrace mobile devices as a way to run their businesses recently which has led to an increase in convenience and efficiency that comes at a price. That price is the diminished role of cybersecurity in their companies. John explains that, in the future, “organizations are going to [need] security as a 24/7 monitoring, data retention, and policy assessments.” SOCs are well up to the task provide companies of all sizes with innovative solutions that are integrated to work efficiently, ensuring that they always have the strongest and most effective cybersecurity defense at their disposal.

Don’t forget to subscribe and review us below because we want to help others like you improve their IT operations, security operations and streamline business operations. If you want to learn more about Skedler and how we can help you just go to Skedler.com where you’ll find tons of information on Kibana, Grafana, and Elastic Stack reporting. You can also download a free 21 day trial with us, so you can see how it all works at skedler.com/download. Thanks for joining and we’ll see you next episode.

Episode 2 – Tactical Security Intelligence and Zero Trust Architecture: How to Adapt Your SIEM and SOC

Welcome to another episode of Infralytics. This episode brings together Shankar Radhakrishnan, Founder of Skedler, and Justin Henderson. Justin is a certified SANS instructor and a member of the Cyber Guardian Blue team at SANS, authoring a number of courses at SANS. Justin is also the Founder and lead consultant at H&A Security Solutions.

Together, Shankar and Justin discuss the intricacies of “Tactical Security Intelligence and Zero Trust Architecture: How to adapt your SIEM and SOC​” during their informative video podcast. Let’s recap their discussion and learn more about what sets tactical security intelligence and zero trust architectures apart from other cybersecurity approaches.

[video_embed video=”0p2PDLyByLg” parameters=”” mp4=”” ogv=”” placeholder=”” width=”700″ height=”400″]

What is Tactical Security Intelligence?

Tactical security intelligence provides information about the tactics, techniques, and procedures (TTPs) used by threat actors to achieve their goals (e.g., to compromise networks, exfiltrate data, and so on). It’s intended to help defenders understand how their organization is likely to be attacked, so they can determine whether appropriate detection and mitigation mechanisms exist or whether they need to be implemented.

What Sources of Data/Information Can Be Divulged?

Tactical security intelligence can divulge what tools threat actors are using during the course of their operations to compromise target networks and exfiltrate data. This type of information will usually come from post-mortem analyses of successful or unsuccessful attacks, and will ideally include details of the specific malware or exploit kits used. It can also identify the specific techniques that threat actors are using to delay or avoid detection. Justin Henderson tells us that most organizations are using tactical security intelligence to “[perform] critical alerting and monitoring back where the data normally resides. The best visibility to see the attacker doesn’t exist there, it exists earlier on like the desktops and laptops.”

Data Monitoring

How do you adapt your SIEM platform for effective tactical intelligence?

In some cases, tactical security intelligence will highlight the need for an organization to invest additional resources in order to address a specific threat. Your tactical security intelligence may lead you to implement a new security protocol or reconfigure an existing technology in order to simplify matters and continue driving innovation forward while averting serious threats. Unfortunately, incident response efficacy relies heavily on human expertise, therefore it can be more difficult to measure the impact of tactical threat intelligence when it comes to identifying serious threats. This is why when supplementing your SIEM platform with tactical security intelligence solutions, it’s best to implement a strong feedback loop between frontline defenders and your threat intelligence experts to ensure more robust network protection.

What is Zero Trust and How Does it Differ From Other Approaches?

Zero trust, as an approach is a reflection of the current, modern working environment that more and more organizations are embracing now. Under the zero trust approach, organizations trust nothing, but verify everything. This approach requires logging, authentication and encryption of all data communication. While it is impossible to fully implement zero trust, Justin Henderson tells us that the best way to go about managing Zero Trust is to “know a baseline, find deviations, then investigate.” The approach is considered as all-pervasive, capable of powering not only large, but also small-scale organizations across various types of industries.

Zero Trust

How Does Zero Trust Impact Your SOC?

To protect, adopting a zero trust approach may be your best bet for success as it allows your organization to seamlessly monitor suspicious activity. This real-time data exposure allows your IT team to reduce the potential for security exposure, thereby giving them the ability to leverage the power of their SOC immediately. Doing so can help your organization sidestep a data breach which can cost $3.9 million on average per a 2019 Ponemon Institute report.

Don’t forget to subscribe and review us below because we want to help others like you improve their IT operations, security operations and streamline business operations. If you want to learn more about Skedler and how we can help you just go to Skedler.com where you’ll find tons of information on Kibana, Grafana, and Elastic Stack reporting. You can also download a free 21 day trial with us, so you can see how it all works at skedler.com/download. Thanks for joining and we’ll see you next episode.

Translate »