1!
Con$nuous'Monitoring'for'
Web'App'Security'Dave%Shackleford,%IANS%
2%
The'Web'App'Security'Landscape'
!  Many'organiza$ons'are'not'addressing'Web'app'security'as'
they'should'
!  More'are'a...
3%
Some'of'the'Top'Web'App'Issues'Today'
!  “Clickjacking”'and'embedded/hidden'code'aCacks'
!  “Slowloris”Lstyle'applica$o...
4%
Breaches'Are'Happening'Too…'
5%
What'about'compliance?'
!  FISMA'requires'a'number'of'specific'elements'in'its'
framework:'
!  Inventory%of%informa>on%s...
6%
What is Continuous
Monitoring?
!  One'step'in'the'NIST'6Lstep'risk'management'approach'in'
800L37'
!  Important%step%fo...
7%
Risk Management &
Continuous Monitoring
!  Continuous Monitoring only follows sound
risk management practices & control...
8%
So…the RMF?
!  Jointly'developed'by'NIST,'DoD,'intelligence'agencies,'and'
the'CommiCee'on'Na$onal'Security'Systems'
! ...
9%
Automating Continuous
Monitoring
!  Automa$on?'You'bet.'
!  SCAP%is%a%good%start.%
!  Many%800]53%areas%are%good%candid...
10%
Involving'Stakeholders'
!  Who'should'be'involved'in'planning'con$nuous'
monitoring?'
!  System%and%control%owners%
! ...
11%
Lots of Changes to Federal IT
Security and Compliance
!  Before: Go through C&A, get an ATO
!  Acronyms: Certification...
12%
And Now…?
!  800L53,'updated'in'2009L2010:'
!  Mandates%the%use%of%con>nuous%monitoring%
!  Mandates%the%implementa>on...
13%
In other words…
!  Moving from:
!  To:
Those security controls that are volatile or critical to
protecting the informa...
14%
The Federal InfoSec
Compliance Spectrum
!  FISMA'changes'and'bills'
!  “The%Federal%Informa>on%Security%Management%Act...
15%
More on SCAP
!  Multiple standards for assessing configuration
and vulnerabilities, and reporting them
!  CVE (Vulns)
...
16%
More on CAG
!  10'of'the'15'can'be'addressed'with'log'and'event'
management'
!  Tied%to%con>nuous%monitoring%
Can'be'f...
17%
Tying Web assessment to
event monitoring
!  Specific Web app scanning details to correlate:
!  Vulnerability details
!...
18%
Continuous Monitoring + CAG:
Assets/Inventory
Name Purpose IP address MAC address Purchase Date OS License Good Throug...
19%
Continuous Monitoring + CAG:
Assets/Inventory
!  Specific elements we want to learn with scanning:
!  System and asset...
20%
Continuous Monitoring + CAG:
Assets/Inventory
!  Correlation Examples:
!  System/application details: Correlate with
c...
21%
So…How s all this work?
!  A huge amount of application and
vulnerability detail needs to be collected in
today s Fede...
22%
FedRAMP'mandates'web'applica$on'
scanning'controls'
!  The'GSA'guide'to'
implemen$ng'con$nuous'
monitoring'for'FedRAMP...
23%
Alan'Paller’s'Federal'Tes$mony'
!  Alan'Paller'tes$fied'before'a'House'subcommiCee'in'March'
of'2010:'
One$of$the$most$...
24%
Mee$ng'Requirements'
!  FISMA'provisions'fall'into'three'major'categories:''
!  Assessment:%Determining%the%adequacy%o...
25%
Mee$ng'Requirements'&'Improving'
Security'
!  Specific'accountability%of%agencies%and%officials%
!  Regular%Web%app%scan%...
26%
Mee$ng'Requirements'&'Improving'
Security'
!  Maintain'an'inventory%of%major%systems%and%applica>ons%
!  Regular'secur...
27%
Mee$ng'Requirements'&'Improving'
Security'
!  Tracking'of'deficiencies'and'remedia$on'ac$ons%taken'
!  Administrators%a...
28%
Mee$ng'Requirements'&'Improving'
Security'
!  Incident'response%and%preven>on%processes%and%capability%
!  Scans%give%...
29%
Web'App'Scanning'+'SIEM'
!  Tying'scan'results'into'event'
monitoring'can'add'powerful'
context'to'correla$on'rules'
!...
30%
Web'App'Scanning'+'WAF'
!  Web'Applica$on'Firewalls'(WAFs)'can'be'tested'with'web'
applica$on'scanning'tools'
!  Sever...
31%
Web'App'Scanning'+'GRC'
!  Web'app'scanning'can'provide'valuable'input'to'GRC'tools'
and'metrics:'
!  Top%vulnerabili>...
32%
Web'App'Scanning'for'Mobile'
!  Many'mobileLoriented'Web'apps'provide'different'or'
varied'content'based'on'endpoint'de...
33%
What’s'to'come?'
!  In'2013'and'beyond,'many'Federal'IT'organiza$ons'will'look'
to'implement'con$nuous'monitoring'
!  ...
1 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic!
•  Leading Security Intelligence Platform
•  Headquarters in C...
-
Cenzic – Continuous Security Intelligence
GRC
WAF
 SIEM
MOBILE
 STATIC TESTING
Cenzic, Inc. - Confidential, All Rights R...
3 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic Enterprise Application Security
Production 
Partner / 
Supply C...
Unique capabilities Cenzic solutions offer:
–  Detect vulnerabilities in web applications in terms of applicable
complianc...
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample FISMA Compliance Findings Report
6 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample NIST Compliance Findings Report
7 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample STIG Compliance Findings Report
8 Cenzic, Inc. - Confidential, All Rights Reserved.
Thanks
For more details, contact:
Bala Venkat
bala@cenzic.com
34%
Ques$ons?'
Upcoming SlideShare
Loading in...5
×

Continuous Monitoring for Web Application Security

360

Published on

In a world with constantly changing and increasingly complex attacks on web applications, security practices are evolving to stay ahead of the threats. Dave Shackleford, IANS Research application security faculty member, and Bala Venkat, Cenzic CMO, explain how government agencies can benefit from continuous security monitoring.

These are the slides from "Continuous Monitoring for Web App Security," a Cenzic and IANS webinar that originally aired on 10 September 2013. The video recording is available at info.cenzic.com (free, registration required).

In the webinar, Dave and Bala discuss the types of attacks currently seen in the wild, what attackers are focused on, and how they are compromising web applications, systems and data. We'll explore the most pressing compliance and regulatory challenges for government agencies and commercial businesses. Finally, we'll show how continuous monitoring tactics and tools can improve your security posture.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
360
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Continuous Monitoring for Web Application Security

  1. 1. 1! Con$nuous'Monitoring'for' Web'App'Security'Dave%Shackleford,%IANS%
  2. 2. 2% The'Web'App'Security'Landscape' !  Many'organiza$ons'are'not'addressing'Web'app'security'as' they'should' !  More'are'asking'“How'likely'are'we'to'be'hacked?”'and' “What'should'we'do'about'it?”' !  What'kinds'of'aCacks'are'federal'agencies'experiencing?' And'what'should'they'do'about'it?' !  We’ll'cover:' !  Some%a5acks%and%research%trends% !  Compliance%and%federal%regula>ons%to%focus%on% !  Some%ideas%on%“what%do%about%it”.%
  3. 3. 3% Some'of'the'Top'Web'App'Issues'Today' !  “Clickjacking”'and'embedded/hidden'code'aCacks' !  “Slowloris”Lstyle'applica$on'vulnerabili$es'leading'to'DoS' condi$ons' !  The'BEAST'and'CRIME'aCacks'against'SSL/TLS' !  CSRF'condi$ons' !  SQL'worms'and'injec$on'vulnerabili$es' !  ServerLside'Includes'(SSI)'with'development'plaUorms'
  4. 4. 4% Breaches'Are'Happening'Too…'
  5. 5. 5% What'about'compliance?' !  FISMA'requires'a'number'of'specific'elements'in'its' framework:' !  Inventory%of%informa>on%systems% !  Categorize%informa>on%and%informa>on%systems%according%to%risk% level% !  Security%controls% !  Risk%assessment% !  System%security%plan% !  Cer>fica>on%and%accredita>on% !  Con>nuous%monitoring%
  6. 6. 6% What is Continuous Monitoring? !  One'step'in'the'NIST'6Lstep'risk'management'approach'in' 800L37' !  Important%step%for%assessing%security%impacts%over%>me% !  Required%by%FISMA%and%OMB%
  7. 7. 7% Risk Management & Continuous Monitoring !  Continuous Monitoring only follows sound risk management practices & control selection as outlined in NIST 800-53 and 800-37 !  Not replacing traditional risk assessment and security authorization !  The final step in the RMF (a key component in back-end security, as defined by NIST)
  8. 8. 8% So…the RMF? !  Jointly'developed'by'NIST,'DoD,'intelligence'agencies,'and' the'CommiCee'on'Na$onal'Security'Systems' !  Implemented'across'three'$ers:' !  Governance% !  Mission/business%process% !  Informa>on%system% !  A'lifecycle'approach'that'updates'the'C&A'process' !  Helps%Authorizing%Officials%assess%Authority%to%Operate%(ATO)%%
  9. 9. 9% Automating Continuous Monitoring !  Automa$on?'You'bet.' !  SCAP%is%a%good%start.% !  Many%800]53%areas%are%good%candidates:% !  Access%Control% !  Iden>fica>on%&%Authen>ca>on% !  Audi>ng%&%Accountability% !  Systems%&%Communica>on%Protec>on% !  Real]>me%monitoring%of%these%is%key%
  10. 10. 10% Involving'Stakeholders' !  Who'should'be'involved'in'planning'con$nuous' monitoring?' !  System%and%control%owners% !  Business%unit%management% !  CISO%and%CIO% !  Authorizing%officials%
  11. 11. 11% Lots of Changes to Federal IT Security and Compliance !  Before: Go through C&A, get an ATO !  Acronyms: Certification & Accreditation (C&A), Authority to Operate (ATO) !  FISMA specifies: !  Periodic Risk Assessments !  Periodic Testing & Evaluation !  Annual Security Review !  Annual Reporting
  12. 12. 12% And Now…? !  800L53,'updated'in'2009L2010:' !  Mandates%the%use%of%con>nuous%monitoring% !  Mandates%the%implementa>on%of%a%strong%Risk%Management% Framework%(RMF)% !  Specific%guidance%on%event%triggers%and%responses% Conducting a thorough point-in-time assessment of the security controls in an organizational information system is a necessary but not sufficient condition to demonstrate security due diligence…The ultimate objective of the continuous monitoring program is to determine if the security controls in an information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates.
  13. 13. 13% In other words… !  Moving from: !  To: Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system s three- year accreditation cycle. A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, technologies and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system.
  14. 14. 14% The Federal InfoSec Compliance Spectrum !  FISMA'changes'and'bills' !  “The%Federal%Informa>on%Security%Management%Act%of% 2010”%(06/2010)% !  “Revamps%FISMA%repor>ng%requirements,%requiring%agencies%to%u>lize% new%and%automated%monitoring%and%measuring%capabili>es%to%assess% their%vulnerabili>es%to%cyber%threats”% !  SCAP' !  Measuring%&%repor>ng%on%vulnerabili>es%and%configura>on%issues% (risk%measurement)% !  CAG' !  Consensus%controls%with%SANS,%Public%and%Private%organiza>ons,%and% infosec%experts%%
  15. 15. 15% More on SCAP !  Multiple standards for assessing configuration and vulnerabilities, and reporting them !  CVE (Vulns) !  CVSS (Vuln scoring or rating) !  CCE and CPE (Enumeration) !  XCCDF and OVAL (Configs and Reporting) !  Intended to provide standards for scanners, local system assessment, and reporting !  Cross-tool correlation and monitoring/alerting is a critical function, too
  16. 16. 16% More on CAG !  10'of'the'15'can'be'addressed'with'log'and'event' management' !  Tied%to%con>nuous%monitoring% Can'be'facilitated'with'' con$nuous,'thorough' Web'applica$on'assessment'
  17. 17. 17% Tying Web assessment to event monitoring !  Specific Web app scanning details to correlate: !  Vulnerability details !  Open ports and running/listening services !  Risk ratings for vulnerabilities !  System/application details !  Correlation Examples: !  System/application details: Correlate with current inventory !  Open ports: Correlate with configuration details to determine whether unauthorized changes were made or services are vulnerable !  Vulnerability details: Correlate with configuration details to determine whether unauthorized changes were made or services are vulnerable
  18. 18. 18% Continuous Monitoring + CAG: Assets/Inventory Name Purpose IP address MAC address Purchase Date OS License Good Through Applications CPCDSM01 File Server 1.2.3.4 AA:BB:CC:DD:EE:FF 1/2/10 Win2k8 Server SP2 1/2/14 XYZ CPCDSM02 File Server 1.2.3.5 AA:BB:CC:DD:EE:AA 1/3/10 Win2k8 Server SP2 1/3/14 XYZ CPCDSM03 File Server 1.2.3.6 AA:BB:CC:DD:EE:BB 1/4/10 Win2k8 Server SP2 1/4/14 XYZ CPCDSM04 File Server 1.2.3.7 AA:BB:CC:DD:EE:CC 1/5/10 Win2k8 Server SP2 1/5/14 XYZ CPCDSM05 File Server 1.2.3.8 AA:BB:CC:DD:EE:DD 1/6/10 Win2k8 Server SP2 1/6/14 XYZ CPCDSM06 File Server 1.2.3.9 AA:BB:CC:DD:EE:EE 1/7/10 Win2k8 Server SP2 1/7/14 XYZ •  System and application inventories can be leveraged for a number of reasons –  Determine whether systems or applications are approved –  Enforce license compliance –  Determine whether systems or applications need upgrades
  19. 19. 19% Continuous Monitoring + CAG: Assets/Inventory !  Specific elements we want to learn with scanning: !  System and asset names !  Platform and application details (what is installed, versions, patches applied, etc.) !  Asset IP/MAC addresses !  License status and details (maybe)
  20. 20. 20% Continuous Monitoring + CAG: Assets/Inventory !  Correlation Examples: !  System/application details: Correlate with configuration details and remediation plans to ensure consistency !  Asset IP/MAC addresses: Ensure system addresses have not changed !  License status/details: Correlate with system configuration to ensure applications are authorized and licensed
  21. 21. 21% So…How s all this work? !  A huge amount of application and vulnerability detail needs to be collected in today s Federal IT environments !  All public-facing and critical apps need to be monitored continually !  These data sets should be aggregated, correlated and used to create meaningful alerts !  Assessment and reporting should follow consistent formatting !  SCAP is the emerging standard
  22. 22. 22% FedRAMP'mandates'web'applica$on' scanning'controls' !  The'GSA'guide'to' implemen$ng'con$nuous' monitoring'for'FedRAMP' requires'Web'app'scanning' !  Agencies'should'adhere'to' the'same'controls,'but'even' more'regularly' !  This'is'becoming'best'prac$ce' for'everyone!'
  23. 23. 23% Alan'Paller’s'Federal'Tes$mony' !  Alan'Paller'tes$fied'before'a'House'subcommiCee'in'March' of'2010:' One$of$the$most$important$goals$of$any$federal$cyber$security$legisla6on$ must$be$to$enable$the$defenders$to$act$as$quickly$to$protect$their$systems$as$ the$a9ackers$can$act.$We#call#this#con-nuous#monitoring#and#it#is#single# handedly#the#most#important#element#you#will#write#into#the#new#law.$ Con6nuous$monitoring$enables$government$agencies$to$respond$quickly$ and$effec6vely$to$common$and$new$a9ack$vectors.$The$Department$of$ State$has$demonstrated$the$effec6veness$of$this$security$innova6on.$Most$ major$corpora6ons$use$it.$This$model$is$the$future$of$federal$cybersecurity.$ As$our$response$to$a9acks$becomes$faster$and$more$automated,$we$will$ take$the$first$steps$toward$turning$the$6de$in$cyberspace,$and$protec6ng$ our$sensi6ve$informa6on.' hCp://oversight.house.gov/wpLcontent/uploads/2012/01/20100324Paller.pdf'
  24. 24. 24% Mee$ng'Requirements' !  FISMA'provisions'fall'into'three'major'categories:'' !  Assessment:%Determining%the%adequacy%of%the%security%of%federal% assets% !  Enforcement:%Requires%that%key%informa>on%security%provisions%be% implemented%and%managed% !  Compliance:%Establishes%provisions%for%management%of%each%agency's% informa>on%security%program%and%accountability%for%compliance%and% repor>ng% !  How'can'regular'Web'app'scanning'help'agencies'improve' security'and'meet'federal'guidelines'and'regula$ons?'
  25. 25. 25% Mee$ng'Requirements'&'Improving' Security' !  Specific'accountability%of%agencies%and%officials% !  Regular%Web%app%scan%reports%show%security%status%of%applica>ons% owned%by%each%organiza>on%and%manager% !  Summary%reports%show%enterprise%view%of%applica>on%security%for% formal%FISMA%repor>ng% !  Assess'risk%by%seeking%to%meet%defined%security%objec>ves' !  Reports%provide%iden>fica>on%of%levels%of%risk% !  Data%can%be%used%in%risk%assessments%to%support%Cer>fica>on%and% Accredita>on%ac>vity% !  Management%can%make%risk]based%decisions%about%applica>on% management%and%security%
  26. 26. 26% Mee$ng'Requirements'&'Improving' Security' !  Maintain'an'inventory%of%major%systems%and%applica>ons% !  Regular'security'assessments%and%reviews% !  Vulnerabili>es%are%iden>fied%by%applica>on,%allowing%audits%to%be% targeted%and%more%focused% !  Scans%can%be%run%and%used%as%input%to%broader%assessments% !  Assessments%can%be%automated%and%include%iden>fica>on%of% likelihood%and%impact,%which%assist%with%Cer>fica>on%and% Accredita>on%efforts% !  Changes%can%be%mapped%over%>me%to%audit%compliance%with% recommenda>ons%in%earlier%assessments%(con>nuous%monitoring!)%
  27. 27. 27% Mee$ng'Requirements'&'Improving' Security' !  Tracking'of'deficiencies'and'remedia$on'ac$ons%taken' !  Administrators%and%developers%can%filter%reports%to%show%specific% vulnerabili>es%and%recommended%remedia>on%sugges>ons% !  Tickets%can%be%assigned%to%appropriate%staff%to%enforce%remedia>on% !  Reports%show%status%of%mi>ga>on%ac>vity%]%corrected%vs.%s>ll%ac>ve% vulnerabili>es%
  28. 28. 28% Mee$ng'Requirements'&'Improving' Security' !  Incident'response%and%preven>on%processes%and%capability% !  Scans%give%early%warning%of%organiza>onal%exposure%to%vulnerabili>es% !  Specific%vulnerabili>es%are%>ed%to%apps%for%more%rapid%assessments% and%response% !  Reports%can%be%shared%with%internal%and%external%incident%response% teams%
  29. 29. 29% Web'App'Scanning'+'SIEM' !  Tying'scan'results'into'event' monitoring'can'add'powerful' context'to'correla$on'rules' !  Metrics'can'include:' !  Web%and%database%applica>on% vulnerabili>es%or%config%issues% !  Web%and%database%plaiorm% configura>on%changes%% !  Web%applica>on%errors%by%web% applica>on%by%type%
  30. 30. 30% Web'App'Scanning'+'WAF' !  Web'Applica$on'Firewalls'(WAFs)'can'be'tested'with'web' applica$on'scanning'tools' !  Several'key'areas'to'focus'on:' !  WAF%bypass%with%specific%scanning%types% !  WAF%effec>veness%at%aler>ng% !  Tuning%the%WAF%for%streamlined%detec>on%and%response%efforts%
  31. 31. 31% Web'App'Scanning'+'GRC' !  Web'app'scanning'can'provide'valuable'input'to'GRC'tools' and'metrics:' !  Top%vulnerabili>es%see%and%remediated% !  Changes%to%compliance%status% !  Changes%to%overall%risk%status,%or%cri>cal%app%status%
  32. 32. 32% Web'App'Scanning'for'Mobile' !  Many'mobileLoriented'Web'apps'provide'different'or' varied'content'based'on'endpoint'device'and'browser' !  Web'app'scanners'need'to'adapt'to'this'by'allowing'for:' !  Various%HTTP%headers%to%be%modified%when%scanning% !  User]Agent%values%to%be%changed%quickly%and%simply%for%different%scan% results% !  Varied%scrip>ng%and%data%presenta>on%op>ons%
  33. 33. 33% What’s'to'come?' !  In'2013'and'beyond,'many'Federal'IT'organiza$ons'will'look' to'implement'con$nuous'monitoring' !  There'are'more'and'more'Web'app'vulnerabili$es' !  Injec>on%flaws% !  XSS%and%CSRF%issues% !  Config/Inventory%data% !  Web%server%vulnerabili>es% !  Centralized'monitoring'and'management'will'be'key''
  34. 34. 1 Cenzic, Inc. - Confidential, All Rights Reserved. Cenzic! •  Leading Security Intelligence Platform •  Headquarters in California, Offices in Singapore & London, 10 years in business •  Secures >1,000,000 online applications, $Trillions of commerce •  Protects F1000 companies, government agencies, universities, SMBs & all major security vendors •  Easy to use enterprise, mobile, and SaaS solutions •  Delivers best continuous real-world Risk Management
  35. 35. - Cenzic – Continuous Security Intelligence GRC WAF SIEM MOBILE STATIC TESTING Cenzic, Inc. - Confidential, All Rights Reserved.2
  36. 36. 3 Cenzic, Inc. - Confidential, All Rights Reserved. Cenzic Enterprise Application Security Production Partner / Supply Chain Networks Mitigate vulnerabilities before apps move to production Protect against ongoing threats and manage risks Certify partners - Ensure interconnecting partner and supply chain apps are protected Enterprise | Cloud Hybrid Mobile | Managed Enterprise Cloud Cloud Managed Enterprise Application Security Pre-production & App Development
  37. 37. Unique capabilities Cenzic solutions offer: –  Detect vulnerabilities in web applications in terms of applicable compliance standards !  FISMA 3544 !  NIST 800-53 !  ASD STIG APP –  Prioritize remediation quickly based on seriousness of compliance issue –  Instantaneously connect reports to specific vulnerabilities affected by regulation –  Correlate final results in terms of specific subsections to demonstrate compliance Mapping to Federal Needs 4
  38. 38. 5 Cenzic, Inc. - Confidential, All Rights Reserved. Sample FISMA Compliance Findings Report
  39. 39. 6 Cenzic, Inc. - Confidential, All Rights Reserved. Sample NIST Compliance Findings Report
  40. 40. 7 Cenzic, Inc. - Confidential, All Rights Reserved. Sample STIG Compliance Findings Report
  41. 41. 8 Cenzic, Inc. - Confidential, All Rights Reserved. Thanks For more details, contact: Bala Venkat bala@cenzic.com
  42. 42. 34% Ques$ons?'
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×