Proactive Ransomware Protection! – Auditing OneDrive with Elasticsearch and Kibana

  • Home
  • |
  • Cyber Security
  • |
  • Proactive Ransomware Protection! – Auditing OneDrive with Elasticsearch and Kibana
  • Home
  • |
  • Cyber Security
  • |
  • Proactive Ransomware Protection! – Auditing OneDrive with Elasticsearch and Kibana

For those of you who haven’t followed our series on ransomware, previously we discussed how you could use OneDrive to backup and version control all that decentralised data users typically store on their laptops and desktops, and you can catch up here

For large scale enterprise, this can be an important safeguard to prevent data loss when centralised shares are not used.  For smaller businesses or those with a distributed workforce, we would argue it is a strong alternative to the typical centralised storage architecture.  Unfortunately, it is not without issues.  How do you track the rate of adoption or identify those users who are not synchronising?  How successful has your rollout been?  Last week we released our own tooling which inventories all your users OneDrive sites via the Microsoft Graph API and in this article we will discuss how you can turn its granular CSV output into those management dashboards that can be easily digested. 

 

Let’s talk ELK 

The “elastic stack” (of Elasticsearch, Logstash and Kibana) is a swiss army knife regularly utilised here at SQA for everything from small data visualisation tasks to largescale metric collection and aggregation projects.  Elasticsearch gives us the ability to store, query, filter and aggregate our data without having to worry about defining or optimising the data structure.   With rich Python SDK support you can interact with Elasticsearch programmatically but in this case, we use Kibana to produce very configurable visualisations from the dataset.  The final piece of the puzzle is to get our data into Elasticsearch, and this is where we can use Logstash to normalise and enrich our CSV output.  For this task, we would rapidly deploy an instance using Docker Desktop but equally, you could use an Elastic cloud offering or run the components traditionally.  There are plenty of articles for all three methods, so we will not cover it off here. 

 

Configuring Logstash

Logstash is configured with files and we have added our config file to our public GitHub repo so you can grab it and use it straight away.  The config assumes you have mounted an “inputs” directory to the Logstash container which contains your CSVs to ingest, just the input path if needed.  We have defined the columns in the CSV, as well as forced some data types to enable better visualisations later.  The configuration is very readable, so you should have no issues making use of it for all manner of CSV ingests.  When Logstash runs, it will feed these CSVs into Elasticsearch and create the index defined in the output stanza.  To re-ingest the CSVs, just delete the index in Elasticsearch and restart Logstash! 

 

Visualising all the things  

Kibana needs to understand the dataset to visualise it but this process is completely automated, we just need to trigger it.  Once we have refreshed the field list within Kibana we can see our Logstash config has correctly set the DateModified field to a Date type just as we configured it to. 

 

From here, we can begin to query the data and produce those management visuals.  With a little bit of effort, you can produce very rich filters which can be toggled on and off as you dig into that data. 

 

You can of course visualise whatever you like, such as the distribution of file types or the relative file counts per user.   You can also quickly filter out noise from the dataset, such as particular extensions, users or directories.  What really brings value here is the speed of visualisation, allowing you to creatively test visualisations and dismiss those that you don’t find useful.  We considered releasing our visualisation and dashboard configuration exports, but we subtly tailor each configuration to the client and really it’s so easy you can just dive right in and do it yourself.  Of course, if you want further assistance, you can reach out to us.   

What can SQA do for you? 

Do you have an ongoing incident?  SQA Consulting can rapidly mobilise an on-site team to contain and eradicate the threat, minimising impact and protecting data.  Our analysts can dig into that malware, looking for any weaknesses you can exploit to recover your data.  

 

Not been hit? 

It is often only a matter of time until your business is disrupted.  Book your ransomware readiness audit now to have our team assess your risk against industry recognised frameworks.   It includes in-depth analysis, such as the OneDrive guidance and adoption analysis discussed here, alongside traditional framework driven risk reduction. By being prepared, you can be assured that you will reduce the likelihood of compromise, minimise data loss and shorten your recovery period. 

 

Contact SQA Consulting for further information on:  

  • Reducing the likelihood of an attack 
  • Mitigating the impact of a successful attack 
  • Significantly reducing the time to recovery 

Technology Consulting Partners