Repsheet
A Behavior Based Approach to Web Application
Security
Aaron Bedra
Application Security Lead
Braintree Payments
We...
Right now, your web
applications are being
attacked
Wednesday, July 10, 13
And it will happen
again, and again, and
again
Wednesday, July 10, 13
But not always in the
way you think
Wednesday, July 10, 13
Let’s take a look at
typical application
security measures
Wednesday, July 10, 13
User Requests
Web Server
Application Environment
Wednesday, July 10, 13
Wednesday, July 10, 13
roland : 12345
Wednesday, July 10, 13
roland : 12345
Wednesday, July 10, 13
And we go on with our
day
Wednesday, July 10, 13
How many of you stop
there?
Wednesday, July 10, 13
It’s time to start asking
more questions
Wednesday, July 10, 13
But remember…
Wednesday, July 10, 13
Don’t impact user
experience!
Wednesday, July 10, 13
???
Wednesday, July 10, 13
• Signature based detection
• Anomaly detection
• Reputational intelligence
• Action
• Repsheet
Wednesday, July 10, 13
Signatures
Wednesday, July 10, 13
Mod Security
Wednesday, July 10, 13
Web Application
Firewall
Wednesday, July 10, 13
Rule based detection
Wednesday, July 10, 13
Allows you to block or
alert if traffic matches a
signature
Wednesday, July 10, 13
Improved by the
OWASP Core Rule Set
Wednesday, July 10, 13
A great tool to add to
your stack
Wednesday, July 10, 13
Works with Apache,
nginx, and IIS
Wednesday, July 10, 13
Works well with Apache
Wednesday, July 10, 13
Like most signature
based tools it requires
tuning
Wednesday, July 10, 13
And has a high
possibility of false
positives
Wednesday, July 10, 13
Great for helping with
0-day attacks
Wednesday, July 10, 13
Favor alerting over
blocking in most
scenarios
Wednesday, July 10, 13
User Requests
Web Server
ModSecurity
Application Environment
Wednesday, July 10, 13
Anomalies
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:21 +0000]
"POST /login HTTP/1.1" 200 267"-" "Mozilla/
5.0 (Windows NT 6.1; WOW64; rv:8....
10.20.253.8 - - [23/Apr/2013:14:20:22 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (W...
10.20.253.8 - - [23/Apr/2013:14:20:23 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2083 "-" "Mozilla/5.0 (W...
10.20.253.8 - - [23/Apr/2013:14:20:24 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (W...
What do you see?
Wednesday, July 10, 13
I see a website getting
carded
Wednesday, July 10, 13
???
Wednesday, July 10, 13
Play by play
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:21 +0000]
"POST /login HTTP/1.1" 200 267"-" "Mozilla/
5.0 (Windows NT 6.1; WOW64; rv:8....
10.20.253.8 - - [23/Apr/2013:14:20:22 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (W...
10.20.253.8 - - [23/Apr/2013:14:20:23 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2083 "-" "Mozilla/5.0 (W...
10.20.253.8 - - [23/Apr/2013:14:20:24 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (W...
And this continues…
Wednesday, July 10, 13
10,000 more times
Wednesday, July 10, 13
Those were the only
requests that IP address
made
Wednesday, July 10, 13
Aside from the number
of requests what else
gave it away?
Wednesday, July 10, 13
5%
5%
4%
27% 59%
GET POST HEAD PUT DELETE
Wednesday, July 10, 13
HTTP method
distribution is
important
Wednesday, July 10, 13
When an actor deviates
significantly, there must
be a reason!
Wednesday, July 10, 13
Let’s talk GeoIP
Wednesday, July 10, 13
Adding GeoIP
information is
generically useful
Wednesday, July 10, 13
But it also helps in the
face of an attack
Wednesday, July 10, 13
It can help protect you
and your users
Wednesday, July 10, 13
Scenario
Wednesday, July 10, 13
King Roland gets his
GMail account hacked
Wednesday, July 10, 13
Hacker sends a
password reset request
to your server
Wednesday, July 10, 13
Normally, you would
email the reset
Wednesday, July 10, 13
Unless...
Wednesday, July 10, 13
You realize that King
Roland always logs in
from Druidia
Wednesday, July 10, 13
But the hacker is
requesting the reset
from Spaceball City
Wednesday, July 10, 13
Instead of sending the
reset, you now ask
some questions
Wednesday, July 10, 13
And hopefully protect
King Roland from
further bad actions
Wednesday, July 10, 13
GeoIP detection also
helps you block traffic
from unwanted
countries
Wednesday, July 10, 13
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Wednesday, July 10, 13
Other Anomalies
• Request Rate
• TCP Fingerprint vs. User Agent
• Account Create/Delete/Subscribe
• Anything you can imagi...
What do they have in
common?
Wednesday, July 10, 13
Does the behavior fit
an equation?
Wednesday, July 10, 13
If so, your detection is
simple
Wednesday, July 10, 13
Request rate >
Threshold
Wednesday, July 10, 13
TCP fingerprint !=
User Agent
Wednesday, July 10, 13
But the HTTP method
deviation is harder
Wednesday, July 10, 13
100% GET requests
with a known UA (e.g.
Google) is ok
Wednesday, July 10, 13
100% POST requests is
not
Wednesday, July 10, 13
But it’s not always that
simple
Wednesday, July 10, 13
Scenario
Wednesday, July 10, 13
A high rate of account
create requests are
coming from a single
address
Wednesday, July 10, 13
Is it a NATted IP or a
fraud/spam bot?
Wednesday, July 10, 13
We have patterns and
data…
Wednesday, July 10, 13
What’s the next step?
Wednesday, July 10, 13
Quantitative Analysis
Wednesday, July 10, 13
Quantitative Analysis
Wednesday, July 10, 13
Quantitative Analysis
Security as a Data Science
Probelm
Wednesday, July 10, 13
We can apply some
machine learning to the
data in an attempt to
classify it
Wednesday, July 10, 13
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Wednesday, July 10, 13
This is where a lot of
the value comes from
Wednesday, July 10, 13
And combined with
signature detection
helps correlate attack
events
Wednesday, July 10, 13
But you still need a way
to keep track of it all
Wednesday, July 10, 13
Reputational
Intelligence
Wednesday, July 10, 13
Who’s naughty and
who’s really naughty
Wednesday, July 10, 13
Built up from the tools/
techniques mentioned
previously
Wednesday, July 10, 13
Provides local
reputation
Wednesday, July 10, 13
You can also purchase
external reputation
feeds
Wednesday, July 10, 13
The combination gives
you solid awareness of
bad actors
Wednesday, July 10, 13
Reputational
Intelligence
External
Reputation
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
G...
Action
Wednesday, July 10, 13
So now you have a ton
of new information
Wednesday, July 10, 13
What do you do with
it?
Wednesday, July 10, 13
Options
• Block the traffic
• Honeypot the attacker
• Modify your response
• Attack back
• Contact the authorities
Wednesda...
Blocking the traffic is
straight forward
Wednesday, July 10, 13
Block at the web server
level (403)
Wednesday, July 10, 13
Block at the firewall
level
Wednesday, July 10, 13
Both have advantages/
disadvantages
Wednesday, July 10, 13
Honeypots are much
more interesting
Wednesday, July 10, 13
LB
LB LB
Engine
Fake Real
DB DBPartial Replication
Wednesday, July 10, 13
When you honeypot,
the attacker doesn’t
know they’ve been
caught
Wednesday, July 10, 13
And it allows you to
study their behavior
Wednesday, July 10, 13
And update your
approach to preventing
attacks
Wednesday, July 10, 13
But all of this requires a
way to manage state
and act on bad behavior
Wednesday, July 10, 13
Reputational
Intelligence
External
Reputation
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
G...
Repsheet
Wednesday, July 10, 13
Reputation Engine
Wednesday, July 10, 13
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Redis
Repsheet
Backend
External
Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repshe...
Wednesday, July 10, 13
Wednesday, July 10, 13
Repsheet helps put
everything together
Wednesday, July 10, 13
Web server module
records activity and
looks for offenders in
the cache
Wednesday, July 10, 13
It listens to
ModSecurity and adds
offending IPs to it’s list
Wednesday, July 10, 13
It provides notification
and/or blocking of
offenders
Wednesday, July 10, 13
Blocking happens at the
web server level
Wednesday, July 10, 13
But you can send the
Repsheet data to your
firewall for TCP level
blocking
Wednesday, July 10, 13
Notification sends
headers to the
downstream application
Wednesday, July 10, 13
Which allows each app
to chose how it is going
to respond
Wednesday, July 10, 13
For instance, show a
captcha on signup if
Repsheet alerts
Wednesday, July 10, 13
Back end looks at the
recorded data for bad
behavior
Wednesday, July 10, 13
And updates the cache
when it finds offenders
Wednesday, July 10, 13
You can supply your
own learning models
for the data
Wednesday, July 10, 13
github.com/repsheet/
repsheet
Wednesday, July 10, 13
Summary
Wednesday, July 10, 13
There are lots of
indicators of attack in
your traffic
Wednesday, July 10, 13
Build up a system that
can capture the data
and sort good from bad
Wednesday, July 10, 13
Tools
• ModSecurity
• GeoIP
• Custom rules (velocity triggers,
fingerprinting, device id, etc)
• Custom behavioral classific...
And Remember…
Wednesday, July 10, 13
Wednesday, July 10, 13
Questions?
Wednesday, July 10, 13
Upcoming SlideShare
Loading in...5
×

Repsheet: A Behavior Based Approach to Web Application Security

1,403

Published on

This is a presentation on how to approach analyzing web application security.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,403
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Repsheet: A Behavior Based Approach to Web Application Security

  1. 1. Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
  2. 2. Right now, your web applications are being attacked Wednesday, July 10, 13
  3. 3. And it will happen again, and again, and again Wednesday, July 10, 13
  4. 4. But not always in the way you think Wednesday, July 10, 13
  5. 5. Let’s take a look at typical application security measures Wednesday, July 10, 13
  6. 6. User Requests Web Server Application Environment Wednesday, July 10, 13
  7. 7. Wednesday, July 10, 13
  8. 8. roland : 12345 Wednesday, July 10, 13
  9. 9. roland : 12345 Wednesday, July 10, 13
  10. 10. And we go on with our day Wednesday, July 10, 13
  11. 11. How many of you stop there? Wednesday, July 10, 13
  12. 12. It’s time to start asking more questions Wednesday, July 10, 13
  13. 13. But remember… Wednesday, July 10, 13
  14. 14. Don’t impact user experience! Wednesday, July 10, 13
  15. 15. ??? Wednesday, July 10, 13
  16. 16. • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
  17. 17. Signatures Wednesday, July 10, 13
  18. 18. Mod Security Wednesday, July 10, 13
  19. 19. Web Application Firewall Wednesday, July 10, 13
  20. 20. Rule based detection Wednesday, July 10, 13
  21. 21. Allows you to block or alert if traffic matches a signature Wednesday, July 10, 13
  22. 22. Improved by the OWASP Core Rule Set Wednesday, July 10, 13
  23. 23. A great tool to add to your stack Wednesday, July 10, 13
  24. 24. Works with Apache, nginx, and IIS Wednesday, July 10, 13
  25. 25. Works well with Apache Wednesday, July 10, 13
  26. 26. Like most signature based tools it requires tuning Wednesday, July 10, 13
  27. 27. And has a high possibility of false positives Wednesday, July 10, 13
  28. 28. Great for helping with 0-day attacks Wednesday, July 10, 13
  29. 29. Favor alerting over blocking in most scenarios Wednesday, July 10, 13
  30. 30. User Requests Web Server ModSecurity Application Environment Wednesday, July 10, 13
  31. 31. Anomalies Wednesday, July 10, 13
  32. 32. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
  33. 33. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  34. 34. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  35. 35. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  36. 36. What do you see? Wednesday, July 10, 13
  37. 37. I see a website getting carded Wednesday, July 10, 13
  38. 38. ??? Wednesday, July 10, 13
  39. 39. Play by play Wednesday, July 10, 13
  40. 40. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
  41. 41. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
  42. 42. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
  43. 43. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
  44. 44. And this continues… Wednesday, July 10, 13
  45. 45. 10,000 more times Wednesday, July 10, 13
  46. 46. Those were the only requests that IP address made Wednesday, July 10, 13
  47. 47. Aside from the number of requests what else gave it away? Wednesday, July 10, 13
  48. 48. 5% 5% 4% 27% 59% GET POST HEAD PUT DELETE Wednesday, July 10, 13
  49. 49. HTTP method distribution is important Wednesday, July 10, 13
  50. 50. When an actor deviates significantly, there must be a reason! Wednesday, July 10, 13
  51. 51. Let’s talk GeoIP Wednesday, July 10, 13
  52. 52. Adding GeoIP information is generically useful Wednesday, July 10, 13
  53. 53. But it also helps in the face of an attack Wednesday, July 10, 13
  54. 54. It can help protect you and your users Wednesday, July 10, 13
  55. 55. Scenario Wednesday, July 10, 13
  56. 56. King Roland gets his GMail account hacked Wednesday, July 10, 13
  57. 57. Hacker sends a password reset request to your server Wednesday, July 10, 13
  58. 58. Normally, you would email the reset Wednesday, July 10, 13
  59. 59. Unless... Wednesday, July 10, 13
  60. 60. You realize that King Roland always logs in from Druidia Wednesday, July 10, 13
  61. 61. But the hacker is requesting the reset from Spaceball City Wednesday, July 10, 13
  62. 62. Instead of sending the reset, you now ask some questions Wednesday, July 10, 13
  63. 63. And hopefully protect King Roland from further bad actions Wednesday, July 10, 13
  64. 64. GeoIP detection also helps you block traffic from unwanted countries Wednesday, July 10, 13
  65. 65. User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  66. 66. Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
  67. 67. What do they have in common? Wednesday, July 10, 13
  68. 68. Does the behavior fit an equation? Wednesday, July 10, 13
  69. 69. If so, your detection is simple Wednesday, July 10, 13
  70. 70. Request rate > Threshold Wednesday, July 10, 13
  71. 71. TCP fingerprint != User Agent Wednesday, July 10, 13
  72. 72. But the HTTP method deviation is harder Wednesday, July 10, 13
  73. 73. 100% GET requests with a known UA (e.g. Google) is ok Wednesday, July 10, 13
  74. 74. 100% POST requests is not Wednesday, July 10, 13
  75. 75. But it’s not always that simple Wednesday, July 10, 13
  76. 76. Scenario Wednesday, July 10, 13
  77. 77. A high rate of account create requests are coming from a single address Wednesday, July 10, 13
  78. 78. Is it a NATted IP or a fraud/spam bot? Wednesday, July 10, 13
  79. 79. We have patterns and data… Wednesday, July 10, 13
  80. 80. What’s the next step? Wednesday, July 10, 13
  81. 81. Quantitative Analysis Wednesday, July 10, 13
  82. 82. Quantitative Analysis Wednesday, July 10, 13
  83. 83. Quantitative Analysis Security as a Data Science Probelm Wednesday, July 10, 13
  84. 84. We can apply some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
  85. 85. Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  86. 86. This is where a lot of the value comes from Wednesday, July 10, 13
  87. 87. And combined with signature detection helps correlate attack events Wednesday, July 10, 13
  88. 88. But you still need a way to keep track of it all Wednesday, July 10, 13
  89. 89. Reputational Intelligence Wednesday, July 10, 13
  90. 90. Who’s naughty and who’s really naughty Wednesday, July 10, 13
  91. 91. Built up from the tools/ techniques mentioned previously Wednesday, July 10, 13
  92. 92. Provides local reputation Wednesday, July 10, 13
  93. 93. You can also purchase external reputation feeds Wednesday, July 10, 13
  94. 94. The combination gives you solid awareness of bad actors Wednesday, July 10, 13
  95. 95. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? Wednesday, July 10, 13
  96. 96. Action Wednesday, July 10, 13
  97. 97. So now you have a ton of new information Wednesday, July 10, 13
  98. 98. What do you do with it? Wednesday, July 10, 13
  99. 99. Options • Block the traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
  100. 100. Blocking the traffic is straight forward Wednesday, July 10, 13
  101. 101. Block at the web server level (403) Wednesday, July 10, 13
  102. 102. Block at the firewall level Wednesday, July 10, 13
  103. 103. Both have advantages/ disadvantages Wednesday, July 10, 13
  104. 104. Honeypots are much more interesting Wednesday, July 10, 13
  105. 105. LB LB LB Engine Fake Real DB DBPartial Replication Wednesday, July 10, 13
  106. 106. When you honeypot, the attacker doesn’t know they’ve been caught Wednesday, July 10, 13
  107. 107. And it allows you to study their behavior Wednesday, July 10, 13
  108. 108. And update your approach to preventing attacks Wednesday, July 10, 13
  109. 109. But all of this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
  110. 110. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
  111. 111. Repsheet Wednesday, July 10, 13
  112. 112. Reputation Engine Wednesday, July 10, 13
  113. 113. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  114. 114. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  115. 115. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
  116. 116. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
  117. 117. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
  118. 118. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
  119. 119. Wednesday, July 10, 13
  120. 120. Wednesday, July 10, 13
  121. 121. Repsheet helps put everything together Wednesday, July 10, 13
  122. 122. Web server module records activity and looks for offenders in the cache Wednesday, July 10, 13
  123. 123. It listens to ModSecurity and adds offending IPs to it’s list Wednesday, July 10, 13
  124. 124. It provides notification and/or blocking of offenders Wednesday, July 10, 13
  125. 125. Blocking happens at the web server level Wednesday, July 10, 13
  126. 126. But you can send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
  127. 127. Notification sends headers to the downstream application Wednesday, July 10, 13
  128. 128. Which allows each app to chose how it is going to respond Wednesday, July 10, 13
  129. 129. For instance, show a captcha on signup if Repsheet alerts Wednesday, July 10, 13
  130. 130. Back end looks at the recorded data for bad behavior Wednesday, July 10, 13
  131. 131. And updates the cache when it finds offenders Wednesday, July 10, 13
  132. 132. You can supply your own learning models for the data Wednesday, July 10, 13
  133. 133. github.com/repsheet/ repsheet Wednesday, July 10, 13
  134. 134. Summary Wednesday, July 10, 13
  135. 135. There are lots of indicators of attack in your traffic Wednesday, July 10, 13
  136. 136. Build up a system that can capture the data and sort good from bad Wednesday, July 10, 13
  137. 137. Tools • ModSecurity • GeoIP • Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
  138. 138. And Remember… Wednesday, July 10, 13
  139. 139. Wednesday, July 10, 13
  140. 140. Questions? Wednesday, July 10, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×