Securing eCommerce
with Data Metrics
Corey Benninger
Founded in 2005, Etsy is an e-commerce website focused on
handmade and vintage items, as well as art and craft supplies.
Continuous
Deployment
Average 35 deploys
to production a day
About 10,000 lines
of code a day
Corey Benninger
Senior Software Security Engineer
@0xb3nn
https://www.etsy.com/listing/92868829/the-oh-my-orange-elephant-designer-wall
Overview
Collecting Metrics
Viewing Metrics
...
First, a thesis
The security posture of your
application is directly
proportional to how much
you know about your
application.
https://www.etsy.com/listing/96459220/stick-your-head-in-the-sand-pen-ink
Looks fine from here
Data Collection
Application Stats
https://github.com/etsy/statsd
if (preg_match(self::PATTERNXSS, $this->url) == true)
{ $msg = “attacktype=XSS url=” . $this->url;
Logger::log_info($msg, ...
We <3 Graphs
https://github.com/etsy/dashboard
Is this normal?
Is this normal?
Smoothing Data
Get Historical
Log Analysis
https://www.etsy.com/listing/130330032/all-the-things-internet-meme-embroidered
Log all the things
Event logs
Visit logs
Error logs
Mail logs
API logs
Search logs
DNS logs...
Splunk
Databases
https://www.etsy.com/listing/128620213/vintage-happiness-is-a-humongousl
Databases
Relational (row) database
Columnar (col...
Awesome Data Team
160 nodes
3840 cores
15 TB of RAM
960 TB storage
!   Ad-hoc analysis of a large dataset
!   Needs to be fast
(or scalable)
!   Might not do it more than once
(for a data s...
Why: Analytics
SuperBIT
Case Studies
Full Site SSL
resource cost
Goal
Full-site SSL for all
Etsy sellers
Opt In
analytics_cascade do
analytics_flow do
analytics_source 'event_logs'
tap_db_snapshot 'users_index'
assembly 'event_logs' d...
Incident Response
for web attacks
https://www.etsy.com/listing/152084181/boba-fett-the-good-the-bad-and-the
Finding Vulns
Bug Bounty Program
Launched Sept 2...
Needle in a haystack
•  URL Patterns
•  IP Addresses
Simple Patterns
analytics_cascade do
analytics_flow do
analytics_source 'access_logs'
 
assembly 'incident_response' do
query_event 'times...
When to Alert
setting thresholds
•  Per time period, count password resets
•  Sort the amounts
•  Discard outliers
•  Average remaining
•  Compare with pas...
Collusion Fraud
The Price is Wrong?
Overpaid
Analysis
Check for meta-data
Exact hash and fuzzy hashing
Analysis of key properties
(shadows, patterns, shading...)
Grow Stronger
Detection is timely (hashing ~1ms)
Each new data point helps for analysis
Phishing Attack
reactive to proactive
Not Etsy
Reactive
source=”access_logs” client_ip=10.163.2.3 | transaction request_uri	

Incident Response
Normal
Proactive
Scanners
low hanging fruit
Bad Deploy?
https://www.etsy.com/listing/162962424/robot-dress-up-costume
Block Only Bad Bots
Allow legitimate users
(including API re...
Asimov?
Bad Bots
Bad Bots
False Positives
https://www.etsy.com/listing/159148839/robot-card-trust-no-one
Bad Bots
Disobey
404
Time
Announce
Detection
Nick Galbreath at DefCon 20
“LibInjection” for detecting SQLi
Does it parse as SQL? Yes, then it’s
SQL
Do you ha...
if (preg_match(self::PATTERNXSS, $this->url) == true)
{ $msg = “attacktype=XSS url=” . $this->url;
Logger::log_info($msg, ...
439 - Not Handmade
Check the Graphs
Conclusions
!   Instrument your application, log
everything
!   Get familiar with data resources: people
and tools
!   Use your data t...
Thanks!http://codeascraft.com
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
"Securing eCommerce with Data Metrics". Corey Benninger, Etsy
Upcoming SlideShare
Loading in...5
×

"Securing eCommerce with Data Metrics". Corey Benninger, Etsy

1,593

Published on

While the need for application logging and proper forensics information has been important after a security incident, it is not frequently used in proactive security. This talk will explore the ways that application logging, data, and metrics can be taken advantage of to create effective defenses for web applications. We query Hadoop for actual threshold numbers used for detecting attacks, proactively monitor for phishing attacks based on our own web server logs, respond in real-time to cross-site scripting attacks by hooking JavaScript methods, among other security countermeasures mined from big data. This presentation will help you build new defense strategies for your applications based on the data you are able to collect.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,593
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

"Securing eCommerce with Data Metrics". Corey Benninger, Etsy

  1. 1. Securing eCommerce with Data Metrics Corey Benninger
  2. 2. Founded in 2005, Etsy is an e-commerce website focused on handmade and vintage items, as well as art and craft supplies.
  3. 3. Continuous Deployment Average 35 deploys to production a day About 10,000 lines of code a day
  4. 4. Corey Benninger Senior Software Security Engineer @0xb3nn
  5. 5. https://www.etsy.com/listing/92868829/the-oh-my-orange-elephant-designer-wall Overview Collecting Metrics Viewing Metrics Taking Action Case Studies
  6. 6. First, a thesis
  7. 7. The security posture of your application is directly proportional to how much you know about your application.
  8. 8. https://www.etsy.com/listing/96459220/stick-your-head-in-the-sand-pen-ink Looks fine from here
  9. 9. Data Collection
  10. 10. Application Stats
  11. 11. https://github.com/etsy/statsd
  12. 12. if (preg_match(self::PATTERNXSS, $this->url) == true) { $msg = “attacktype=XSS url=” . $this->url; Logger::log_info($msg, ‘SECURITY’); StatsD::increment(‘security.potential_xss’); if (! $this->rate->checkIncrement(self::XSS_WEIGHT)) { $this- >drop_request = true; } } StatsD
  13. 13. We <3 Graphs
  14. 14. https://github.com/etsy/dashboard
  15. 15. Is this normal?
  16. 16. Is this normal?
  17. 17. Smoothing Data
  18. 18. Get Historical
  19. 19. Log Analysis
  20. 20. https://www.etsy.com/listing/130330032/all-the-things-internet-meme-embroidered Log all the things
  21. 21. Event logs Visit logs Error logs Mail logs API logs Search logs DNS logs...
  22. 22. Splunk
  23. 23. Databases
  24. 24. https://www.etsy.com/listing/128620213/vintage-happiness-is-a-humongousl Databases Relational (row) database Columnar (column) database MapReduce (clustered data processing)
  25. 25. Awesome Data Team
  26. 26. 160 nodes 3840 cores 15 TB of RAM 960 TB storage
  27. 27. !   Ad-hoc analysis of a large dataset !   Needs to be fast (or scalable) !   Might not do it more than once (for a data set)
  28. 28. Why: Analytics
  29. 29. SuperBIT
  30. 30. Case Studies
  31. 31. Full Site SSL resource cost
  32. 32. Goal Full-site SSL for all Etsy sellers
  33. 33. Opt In
  34. 34. analytics_cascade do analytics_flow do analytics_source 'event_logs' tap_db_snapshot 'users_index' assembly 'event_logs' do group_by 'user_id', 'scheme' do count 'value' end end assembly 'users_index' do project 'user_id', 'is_seller' end assembly 'ssl_traffic' do project 'user_id', 'is_seller', 'scheme', 'value' group_by 'is_seller', 'scheme' do count 'value' end end analytics_sink 'ssl_traffic' end end
  35. 35. Incident Response for web attacks
  36. 36. https://www.etsy.com/listing/152084181/boba-fett-the-good-the-bad-and-the Finding Vulns Bug Bounty Program Launched Sept 2012 Reward: $500 - $2000
  37. 37. Needle in a haystack
  38. 38. •  URL Patterns •  IP Addresses Simple Patterns
  39. 39. analytics_cascade do analytics_flow do analytics_source 'access_logs'   assembly 'incident_response' do query_event 'timestamp', 'request_uri', 'useragent', 'ip' where '"/bad_url.php'".equals(request_uri:string) group_by ’url’ do count 'value' end end analytics_sink 'incident_response' end end
  40. 40. When to Alert setting thresholds
  41. 41. •  Per time period, count password resets •  Sort the amounts •  Discard outliers •  Average remaining •  Compare with past known attacks Big Data Answer
  42. 42. Collusion Fraud
  43. 43. The Price is Wrong?
  44. 44. Overpaid
  45. 45. Analysis Check for meta-data Exact hash and fuzzy hashing Analysis of key properties (shadows, patterns, shading...)
  46. 46. Grow Stronger Detection is timely (hashing ~1ms) Each new data point helps for analysis
  47. 47. Phishing Attack reactive to proactive
  48. 48. Not Etsy
  49. 49. Reactive
  50. 50. source=”access_logs” client_ip=10.163.2.3 | transaction request_uri Incident Response
  51. 51. Normal
  52. 52. Proactive
  53. 53. Scanners low hanging fruit
  54. 54. Bad Deploy?
  55. 55. https://www.etsy.com/listing/162962424/robot-dress-up-costume Block Only Bad Bots Allow legitimate users (including API requests) Allow search engines Allow our own scans
  56. 56. Asimov?
  57. 57. Bad Bots
  58. 58. Bad Bots
  59. 59. False Positives
  60. 60. https://www.etsy.com/listing/159148839/robot-card-trust-no-one Bad Bots Disobey 404 Time Announce
  61. 61. Detection Nick Galbreath at DefCon 20 “LibInjection” for detecting SQLi Does it parse as SQL? Yes, then it’s SQL Do you have “.aspx” files? No, then why is someone requesting one?
  62. 62. if (preg_match(self::PATTERNXSS, $this->url) == true) { $msg = “attacktype=XSS url=” . $this->url; Logger::log_info($msg, ‘SECURITY’); StatsD::increment(‘security.potential_xss’); if (! $this->rate->checkIncrement(self::XSS_WEIGHT)) { $this- >drop_request = true; } } Log and Limit
  63. 63. 439 - Not Handmade
  64. 64. Check the Graphs
  65. 65. Conclusions
  66. 66. !   Instrument your application, log everything !   Get familiar with data resources: people and tools !   Use your data to help drive security alerts, investigations, and actions
  67. 67. Thanks!http://codeascraft.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×