The simplest thing to do is to not let people you don't trust into the network with Elasticsearch. Beyond that you can do things like only listen on localhost and control who can connect with ssh and things like that. You could run a firewall. You could use shield. Lots of options.