Your SlideShare is downloading. ×
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

"Securing eCommerce with Data Metrics". Corey Benninger, Etsy

1,519
views

Published on

While the need for application logging and proper forensics information has been important after a security incident, it is not frequently used in proactive security. This talk will explore the ways …

While the need for application logging and proper forensics information has been important after a security incident, it is not frequently used in proactive security. This talk will explore the ways that application logging, data, and metrics can be taken advantage of to create effective defenses for web applications. We query Hadoop for actual threshold numbers used for detecting attacks, proactively monitor for phishing attacks based on our own web server logs, respond in real-time to cross-site scripting attacks by hooking JavaScript methods, among other security countermeasures mined from big data. This presentation will help you build new defense strategies for your applications based on the data you are able to collect.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,519
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing eCommerce with Data Metrics Corey Benninger
  • 2. Founded in 2005, Etsy is an e-commerce website focused on handmade and vintage items, as well as art and craft supplies.
  • 3. Continuous Deployment Average 35 deploys to production a day About 10,000 lines of code a day
  • 4. Corey Benninger Senior Software Security Engineer @0xb3nn
  • 5. https://www.etsy.com/listing/92868829/the-oh-my-orange-elephant-designer-wall Overview Collecting Metrics Viewing Metrics Taking Action Case Studies
  • 6. First, a thesis
  • 7. The security posture of your application is directly proportional to how much you know about your application.
  • 8. https://www.etsy.com/listing/96459220/stick-your-head-in-the-sand-pen-ink Looks fine from here
  • 9. Data Collection
  • 10. Application Stats
  • 11. https://github.com/etsy/statsd
  • 12. if (preg_match(self::PATTERNXSS, $this->url) == true) { $msg = “attacktype=XSS url=” . $this->url; Logger::log_info($msg, ‘SECURITY’); StatsD::increment(‘security.potential_xss’); if (! $this->rate->checkIncrement(self::XSS_WEIGHT)) { $this- >drop_request = true; } } StatsD
  • 13. We <3 Graphs
  • 14. https://github.com/etsy/dashboard
  • 15. Is this normal?
  • 16. Is this normal?
  • 17. Smoothing Data
  • 18. Get Historical
  • 19. Log Analysis
  • 20. https://www.etsy.com/listing/130330032/all-the-things-internet-meme-embroidered Log all the things
  • 21. Event logs Visit logs Error logs Mail logs API logs Search logs DNS logs...
  • 22. Splunk
  • 23. Databases
  • 24. https://www.etsy.com/listing/128620213/vintage-happiness-is-a-humongousl Databases Relational (row) database Columnar (column) database MapReduce (clustered data processing)
  • 25. Awesome Data Team
  • 26. 160 nodes 3840 cores 15 TB of RAM 960 TB storage
  • 27. !   Ad-hoc analysis of a large dataset !   Needs to be fast (or scalable) !   Might not do it more than once (for a data set)
  • 28. Why: Analytics
  • 29. SuperBIT
  • 30. Case Studies
  • 31. Full Site SSL resource cost
  • 32. Goal Full-site SSL for all Etsy sellers
  • 33. Opt In
  • 34. analytics_cascade do analytics_flow do analytics_source 'event_logs' tap_db_snapshot 'users_index' assembly 'event_logs' do group_by 'user_id', 'scheme' do count 'value' end end assembly 'users_index' do project 'user_id', 'is_seller' end assembly 'ssl_traffic' do project 'user_id', 'is_seller', 'scheme', 'value' group_by 'is_seller', 'scheme' do count 'value' end end analytics_sink 'ssl_traffic' end end
  • 35. Incident Response for web attacks
  • 36. https://www.etsy.com/listing/152084181/boba-fett-the-good-the-bad-and-the Finding Vulns Bug Bounty Program Launched Sept 2012 Reward: $500 - $2000
  • 37. Needle in a haystack
  • 38. •  URL Patterns •  IP Addresses Simple Patterns
  • 39. analytics_cascade do analytics_flow do analytics_source 'access_logs'   assembly 'incident_response' do query_event 'timestamp', 'request_uri', 'useragent', 'ip' where '"/bad_url.php'".equals(request_uri:string) group_by ’url’ do count 'value' end end analytics_sink 'incident_response' end end
  • 40. When to Alert setting thresholds
  • 41. •  Per time period, count password resets •  Sort the amounts •  Discard outliers •  Average remaining •  Compare with past known attacks Big Data Answer
  • 42. Collusion Fraud
  • 43. The Price is Wrong?
  • 44. Overpaid
  • 45. Analysis Check for meta-data Exact hash and fuzzy hashing Analysis of key properties (shadows, patterns, shading...)
  • 46. Grow Stronger Detection is timely (hashing ~1ms) Each new data point helps for analysis
  • 47. Phishing Attack reactive to proactive
  • 48. Not Etsy
  • 49. Reactive
  • 50. source=”access_logs” client_ip=10.163.2.3 | transaction request_uri Incident Response
  • 51. Normal
  • 52. Proactive
  • 53. Scanners low hanging fruit
  • 54. Bad Deploy?
  • 55. https://www.etsy.com/listing/162962424/robot-dress-up-costume Block Only Bad Bots Allow legitimate users (including API requests) Allow search engines Allow our own scans
  • 56. Asimov?
  • 57. Bad Bots
  • 58. Bad Bots
  • 59. False Positives
  • 60. https://www.etsy.com/listing/159148839/robot-card-trust-no-one Bad Bots Disobey 404 Time Announce
  • 61. Detection Nick Galbreath at DefCon 20 “LibInjection” for detecting SQLi Does it parse as SQL? Yes, then it’s SQL Do you have “.aspx” files? No, then why is someone requesting one?
  • 62. if (preg_match(self::PATTERNXSS, $this->url) == true) { $msg = “attacktype=XSS url=” . $this->url; Logger::log_info($msg, ‘SECURITY’); StatsD::increment(‘security.potential_xss’); if (! $this->rate->checkIncrement(self::XSS_WEIGHT)) { $this- >drop_request = true; } } Log and Limit
  • 63. 439 - Not Handmade
  • 64. Check the Graphs
  • 65. Conclusions
  • 66. !   Instrument your application, log everything !   Get familiar with data resources: people and tools !   Use your data to help drive security alerts, investigations, and actions
  • 67. Thanks!http://codeascraft.com