Detect attacker intent with Elasticsearch security plugins

Harden your enterprise with security plugins for Elasticsearch that target hacker behaviors, patterns and goals to limit issues, and keep your information safe.

The Elasticsearch ecosystem has evolved into one of the primary open source tools that developers use to bring search into different kinds of applications. Begun as a simple recipe organizer, the Elasticsearch search tool can now, through extensions such as security plugins, be enlisted in enterprise security practices.

At the Elastic{ON} conference in San Francisco, developers discussed how Elasticsearch has moved beyond its ability to simply surface information. It now provides access to larger catalogs, and Elasticsearch security plugins improve its overall strength. Also, natural language processing (NLP) could eventually play a larger role in security.

While early versions of Elasticsearch focused on traditional document search features, users eventually turned it into an infrastructure log search tool. After the development of Logstash and Kibana, log analytics became Elasticsearch's major use case and led to the further development of the ELK stack, which is available through JSON and the Java API.

A good search engine understands a language at a foundational level and has the ability to break a data set into the appropriate atoms to make it searchable in different ways. Chatbots have started to use Elastic to improve their ability to parse large knowledge bases. Other users are looking to combine NLP approaches with Elastic to parse security event data into a sort of grammar of hacker intent, said Avi Chesla, founder and CEO of Empow Cyber Security.

Hardening through Elasticsearch security plugins

Empow recently released an open source Elasticsearch security plugin called Attacker Intent Search to help enterprises improve the security investigation process.

"The thing a security organization wants to look for is attacker intent," Chesla said. Attacker intent consists of hacker behaviors and goals once they infiltrate an organization. Hackers have changed up malware payloads and associated domain names in attacks to hide their activit and continue to make it harder to detect an intrusion with rudimentary pattern-matching tools.

While organizations may struggle to identify hackers' behaviors, their attack patterns tend to be more consistent. "If you can train systems to identity the patterns, then you can solve the main pain point," Chesla said.

NLP is often used to find the higher structure in a collection of words to tease out sentence, paragraph and document meaning. In the same way, Chesla said he believes it can also find the deeper pattern in log events from hackers, even when the stages of an attack are spread out over longer periods.

This example of an Elasticsearch security plugin also creates much simpler rule sets because there are far fewer patterns of intent than malware variants. "You can think of it as a story of the attacker, and the sentences in the story are those signals we can classify into intents in order to understand it," Chesla said.

After an attack is detected, security analysts can look to find systems that have already been infiltrated and identify which ones might be next. With this tool's automation process, it's easier to search though security threat reports that might be associated with a particular attack and add updates to these reports if required.

Weave search services into apps

Shay Banon, CEO at Elastic, expects to see more tools that make it easier for developers to implement common use cases. As recently as a few years ago, the only way to add a search feature to a website required an on-premises Elasticsearch installation and an index created via webpage crawl. Then, developers had to figure out how to ingest API calls to Elasticsearch and perform relevancy tuning.

Now, services such as Swiftype, which was recently purchased by Elastic, enable developers to simply register a domain name. Developers can then weave search results into other apps with a code snippet in their server apps. Down the road, Banon also expects Elastic to see similar types of services for logging, metrics, application performance management and security.

Dig Deeper on Software development best practices and processes

App Architecture
Software Quality
Cloud Computing
Security
SearchAWS
Close