Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making Sense of Web Attacks: From Alerts to Narratives

965 views

Published on

Co-Founder & CTO of Imperva, Amichai Shulman, discusses how recognizing the security narrative in your web-application is a big challenge. On the one hand security products are getting more sensitive and are detecting even minor anomalies in incoming web traffic, while on the other hand attacks are becoming more automated and traffic intensive. As a result, security operators find themselves sifting through hundreds of thousands of individual alert messages per day, striving to know what the “#@$%” is going on. These slides present our innovative system that groups individual alerts from a web application firewall into attack narratives. They also present real-world cases and show results.

Published in: Technology
  • Be the first to comment

Making Sense of Web Attacks: From Alerts to Narratives

  1. 1. ® Amichai Shulman, Co Founder, CTO Making Sense of Web Attacks: From Alerts to Narratives
  2. 2. Making Sense of Web Attacks: From Alerts to Narratives • The problem • Suggested solution – Attack Narrative • Real world data Agenda
  3. 3. Making Sense of Web Attacks: From Alerts to Narratives The Problem
  4. 4. Making Sense of Web Attacks: From Alerts to Narratives Security alerts volume is increasing Attack sophistication is increasing Shortage of security talent/ need for higher productivityNeed to: Analyze new threats Adjust security mechanisms Keep WAF updated with new trends Verify all is working correctly - reports
  5. 5. Making Sense of Web Attacks: From Alerts to Narratives SIEM WAF Anti- Virus Active Directory • Security Information and Event Management • Ineffective • Correlating WAF security events with other devices alerts is meaningless • Aggregating WAF alerts requires WAF expertise Existing solution - SIEM
  6. 6. Making Sense of Web Attacks: From Alerts to Narratives Attack Narrative
  7. 7. Making Sense of Web Attacks: From Alerts to Narratives • The alert captures the suspicious request • The narrative captures a wider phenomenon like source, intent, method, tool • Machine Learning Attack Narrative “SQL injection attack on 18 servers from 192.168.0.0/24 (11.3K alerts)” Alerts In millions In tensNarratives
  8. 8. Making Sense of Web Attacks: From Alerts to Narratives • Medical imaging • Face recognition • Social network analysis • Market research • Transcriptomics • And many more… Unsupervised ML - Clustering Narrative 1 Narrative 2 Narrative 3
  9. 9. Making Sense of Web Attacks: From Alerts to Narratives Cross Apps Cross Days Day 1 Day 2 App 1 App 2 App 1 App 2 App 2 Incident App 1 App 1 Similar clusters Similarity across application Similarity across days Create clusters per day, per application Link clusters across days Link clusters across apps
  10. 10. Making Sense of Web Attacks: From Alerts to Narratives • Characterize attackers & attacks • Feature selection • Distance metric • Clustering algorithm • Incidents prioritization Domain Expertise
  11. 11. Making Sense of Web Attacks: From Alerts to Narratives Domain Expertise • Characterize attackers & attacks • Feature selection • Distance metric • Clustering algorithm • Incidents prioritization
  12. 12. Making Sense of Web Attacks: From Alerts to Narratives • Characterize attackers & attacks • Feature selection • Distance metric • Clustering algorithm • Incidents prioritization Domain Expertise
  13. 13. Making Sense of Web Attacks: From Alerts to Narratives Security alerts volume is increasing Attack sophistication is increasing Shortage of security talent/ need for higher productivity Reduces amount of items to investigate Tries to reveal things we know that we don’t know Automate analyst work
  14. 14. Making Sense of Web Attacks: From Alerts to Narratives WAF Security events Application SQLi Scan: 993 SQLi attempts from IP X during 6AM-10AM Distributed XSS: 3,400 XSS attempts from 20 IPs 7:00-7:01 Scan: 2365 various alerts from 2 Ukrainian IPs 08:02-08:05 Profile Issue: 1,050 SQLi alerts from 50 IPs 09:00-10:00 Manual Attack: 725 SQLi alerts from IP x 11:00-11:20 … Attack Narrative Unified Management
  15. 15. Making Sense of Web Attacks: From Alerts to Narratives Report Identify AnalyzeAct WAF Attack Narrative WAF • End-to-end system • Real time • Forensics Feedback System
  16. 16. Making Sense of Web Attacks: From Alerts to Narratives Real World Data
  17. 17. Making Sense of Web Attacks: From Alerts to Narratives Application #security events per day 1 475,176 2 219,679 3 180,302 4 143,253 5 126,578 6 96,683 7 91,212 8 83,924 9 69,401 10 65,459 11 56,484 12 52,577 13 52,407 14 48,544 15 43,938 16 42,904 17 42,367 18 41,341 19 37,325 20 35,699 Top 20 Imperva Soc applications with highest #security events per day (averaged on 4 days) App Index # Security Events (Input) # Incidents (Output) 1 33,872 11 2 100,000 24 3 18,789 16 4 27,688 20 5 64,517 19 Average 48,973 18
  18. 18. Making Sense of Web Attacks: From Alerts to Narratives • Track IPs, users • Track entities: UA, specific parameter • Track time activity • Track volume • Search external information • Correlate with reputation services • Cluster geo-locations • And more… Vatican Attack Data
  19. 19. Making Sense of Web Attacks: From Alerts to Narratives Struts Remote Code Execution • We found one narrative in a daily analysis • 81 security events • CVE-2013-2115: Apache Struts Code Execution • 2 IPs, Same class C
  20. 20. Making Sense of Web Attacks: From Alerts to Narratives • Attacks are complex and generate many indications • Identifying attacks by tracking individual indications is time consuming and beyond human capacity • Indications must be aggregated per individual security layers before correlated with indications from other layers Summary
  21. 21. Making Sense of Web Attacks: From Alerts to Narratives • Unsupervised machine learning can be applied in order to achieve aggregation • Domain expertise must be applied to the machine learning algorithm in order to achieve sensible results • Application to real world data produced 1:1000 aggregation Summary
  22. 22. Making Sense of Web Attacks: From Alerts to Narratives Subscribe to the Imperva blog for ongoing application security information: https://www.imperva.com/blog/ More Info

×