Top Strategies to Capture Security            Intelligence for Applications            John B. Dickson, CISSP            D...
John Dickson  • Principal of Denim Group  • 15-year information security consultant    background  • Ex-Air Force security...
Denim Group Background • Professional services firm that builds & secures enterprise applications         – External appli...
Overview •     Today’s network security intelligence •     The target of choice – applications •     In application defens...
Today’s Network Security Intelligence  • Key information from security-related events in the organization can    be collec...
Today’s Network Security Intelligence                                                     The very crowded                ...
Today’s Network Security Intelligence  • What do network defenders really need?           – What, when, where, and how an ...
The target of choice – applications  • App level breaches accounted for 10% of breaches overall, but 54%    for large orga...
Application Vulnerability – Injection                                   #1 in OWASP Top 10 • “Getting into” a file system ...
With normal input User Name:                  johndoe Password:                   myBirthday SELECT * FROM USERS WHERE USE...
With malicious input User Name: johndoe Password:   ; DROP DATABASE; -- SELECT * FROM USERS WHERE USERNAME=johndoe AND PAS...
What Is It?    •     Occurs when unfiltered user inputs are combined          with static text and then sent to an interpr...
In application defenses  • A chasm exists between the development and operations/security    communities           – DevOp...
The very real state of in application defenses  • Example application log #1  logger.warn("Caught exception " + e);  e.pri...
The very real state of in application defenses  • Example application log #2  logger.info("Failed login for user " + usern...
The very real state of in application defenses  • Example application log #3  logger.info("Order placed with credit card n...
The very real state of in application defenses  • What did we learn from these examples?           – Developers might log ...
Application logging blocking and tackling • Security operators must inject themselves into the design phase of   developme...
Application logging blocking and tackling • Increasing the fidelity of security event logging – HOW? • Need to focus on:  ...
Which events to log •     Input validation failures •     Output validation failures •     Authentication successes and fa...
Which events attributes to log •     Log date and time •     Event date and time •     Interaction identifier •     Applic...
Which events never to log •     Passwords •     Sensitive system attributes •     Source code •     Session identification...
Application logging blocking and tackling  • Example application log #4  logger.debug("Failed login for user: " +  logEsca...
Application logging blocking and tackling  • Example application log #5  logger.warn("User " + logEscape(username) + "  at...
WAF’s and application IDS • Broad set of technologies that enable enhanced application-layer   logging • Provide insight i...
AppSensor • A conceptual framework that offers guidance to implement intrusion   detection capabilities into existing appl...
AppSensor • An attacker often requires numerous probes and attack attempts in   order to locate an exploitable vulnerabili...
AppSensor • Behavior examples (~50)         –     2 Detection Points 2.1 RequestException         –     2.1.1 RE1: Unexpec...
Virtual patching for web applications  • Receives vulnerabilities from application vulnerability scanners           – Dyna...
References  • “How to Do Application Logging Right,” Chuvakin, Anton, and    Peterson, Gunnar           –    http://arctec...
Contact Info John Dickson, CISSP & Principal (210) 572-4400 john@denimgroup.com Twitter: @johnbdickson© Copyright 2012 Den...
Upcoming SlideShare
Loading in …5
×

Top Strategies to Capture Security Intelligence for Applications

3,371 views

Published on

Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,371
On SlideShare
0
From Embeds
0
Number of Embeds
1,626
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Top Strategies to Capture Security Intelligence for Applications

  1. 1. Top Strategies to Capture Security Intelligence for Applications John B. Dickson, CISSP Denim Group, Ltd.© Copyright 2012 Denim Group - All Rights Reserved
  2. 2. John Dickson • Principal of Denim Group • 15-year information security consultant background • Ex-Air Force security analyst at AFCERT • Trident Data Systems, KPMG, SecureLogix, and Denim Group information security consultant • Works with CIO’ s and CSO’s to build successful software security initiatives • Educates non-developer security professionals how to manage application risk© Copyright 2012 Denim Group - All Rights Reserved 1
  3. 3. Denim Group Background • Professional services firm that builds & secures enterprise applications – External application assessments • Web, mobile, and cloud – Software development lifecycle development (SDLC) consulting • Classroom and e-Learning for PCI compliance • Secure development services: – Secure .NET and Java application development – Post-assessment remediation • Deep penetration in Financial Services, Banking, Insurance, Healthcare and Defense market sectors • Customer base spans Fortune 500 • Contributes to industry best practices through the Open Web Application Security Project (OWASP)© Copyright 2012 Denim Group - All Rights Reserved 2
  4. 4. Overview • Today’s network security intelligence • The target of choice – applications • In application defenses • Application logging blocking and tackling • WAF’s and application IDS • Virtual patching for web applications • Conclusion© Copyright 2012 Denim Group - All Rights Reserved 3
  5. 5. Today’s Network Security Intelligence • Key information from security-related events in the organization can be collected – The broader range the better – A variety of key security events on a multitude of devices • Firewalls • Remote access servers • Critical servers (e.g., active directory) • Correlation and analysis capabilities are also mature – Context important to analysis • Network and server logging market maturing – Marketplace includes Security Event Managers (SEM), Security Information and Event Managers (SIEM), and Advanced Logging Products – May address certain compliance requirements like Sarbanes-Oxley© Copyright 2012 Denim Group - All Rights Reserved 4
  6. 6. Today’s Network Security Intelligence The very crowded SIEM market Source: Gartner Group, Magic Quadrant for Security Information and Management, May 2012© Copyright 2012 Denim Group - All Rights Reserved 5
  7. 7. Today’s Network Security Intelligence • What do network defenders really need? – What, when, where, and how an event occurred – In a format that is external to the system or the application that created it – In a predictable format that is straightforward to import to SIEMs© Copyright 2012 Denim Group - All Rights Reserved 6
  8. 8. The target of choice – applications • App level breaches accounted for 10% of breaches overall, but 54% for large organizations • Only 20% of all organizations were in compliance with PCI DSS Requirement 6 – Develop and maintain secure systems and applications • Only 57% of large organizations were compliant with the PCI DSS Requirement 6 • The average number of days a website was exposed to at least one serious vulnerability is 231 days • XSS was found in 55% of websites in 2011 Sources: Verizon Business System, 2012 Breach Report and WhiteHat Security Report© Copyright 2012 Denim Group - All Rights Reserved 7
  9. 9. Application Vulnerability – Injection #1 in OWASP Top 10 • “Getting into” a file system or database used to imply establishing a root session or a direct SQL connection • By exploiting applications, attackers can accomplish their goals without such direct access – The whole system trusts the application – Attackers will try to leverage that trust© Copyright 2012 Denim Group - All Rights Reserved 8
  10. 10. With normal input User Name: johndoe Password: myBirthday SELECT * FROM USERS WHERE USERNAME=johndoe AND PASSWORD=myBirthday© Copyright 2012 Denim Group - All Rights Reserved 9
  11. 11. With malicious input User Name: johndoe Password: ; DROP DATABASE; -- SELECT * FROM USERS WHERE USERNAME=johndoe AND PASSWORD= ; DROP DATABASE; -- © Copyright 2012 Denim Group - All Rights Reserved 10
  12. 12. What Is It? • Occurs when unfiltered user inputs are combined with static text and then sent to an interpreter. • The interpreter then executes commands of the attackers choosing rather than the commands specified in the application. • Very common application security flaw with potentially disastrous security implications. • We will focus on SQL injection because it is the most common. • Other common injection flaws include OS Command, XML, and LDAP.© Copyright 2012 Denim Group - All Rights Reserved 11
  13. 13. In application defenses • A chasm exists between the development and operations/security communities – DevOps and Rugged Software Development changing that gap • Most software developers don’t build enterprise software with security in mind – Outside the largest banks and financial institutions, the security of software is less important (vs. features and functionality) • Most defensive coding focused on filtering malicious inputs – Very little focus on the fidelity of application logging to enhance security response • Most logging done to capture software debugging info – Developers want to understand how an application failed – Enhanced security information rarely a requirement for logging© Copyright 2012 Denim Group - All Rights Reserved 12
  14. 14. The very real state of in application defenses • Example application log #1 logger.warn("Caught exception " + e); e.printStackTrace();© Copyright 2012 Denim Group - All Rights Reserved 13
  15. 15. The very real state of in application defenses • Example application log #2 logger.info("Failed login for user " + username + " with password " + password + "");© Copyright 2012 Denim Group - All Rights Reserved 14
  16. 16. The very real state of in application defenses • Example application log #3 logger.info("Order placed with credit card number " + creditCardNumber);© Copyright 2012 Denim Group - All Rights Reserved 15
  17. 17. The very real state of in application defenses • What did we learn from these examples? – Developers might log information that actually creates more security headaches – Developers might not log information that is needed to analyze an attack – Developers might not log key security events in a human readable format – Developers might log information that is not in a format that is easily consumable by a SIEM (i.e., structured data) – Developers rarely ask security operations analysts for input on the types of logging needed – Developers rarely worry about the need to conduct trusted logging© Copyright 2012 Denim Group - All Rights Reserved 16
  18. 18. Application logging blocking and tackling • Security operators must inject themselves into the design phase of development projects to articulate security event logging requirement. • Security operators need to better understand application-layer information and how it can help them better identify security events. • Developers need to increase the fidelity of the security event information the do send to logs.© Copyright 2012 Denim Group - All Rights Reserved 17
  19. 19. Application logging blocking and tackling • Increasing the fidelity of security event logging – HOW? • Need to focus on: – What – When – Where – How • Key events to log: – Authentication – Authorization – Access Source: “How to Do Application Logging Right,” Chuvakin, Anton, and Peterson, Gunnar.© Copyright 2012 Denim Group - All Rights Reserved 18
  20. 20. Which events to log • Input validation failures • Output validation failures • Authentication successes and failures • Authorization failures • Session management failures • Application errors and system events • Application and related systems start-ups and shut-downs • Use of higher-risk functionality • Legal and other opt-ins Source: OWASP Application Logging Cheat Sheet© Copyright 2012 Denim Group - All Rights Reserved 19
  21. 21. Which events attributes to log • Log date and time • Event date and time • Interaction identifier • Application address • Service • Window/form/page • Code location • Source • User ID • Type of event Source: OWASP Application Logging Cheat Sheet© Copyright 2012 Denim Group - All Rights Reserved 20
  22. 22. Which events never to log • Passwords • Sensitive system attributes • Source code • Session identification values • Sensitive business information • Patient information (EPI) • Bank account or payment card holder data • HR, Payroll, M&A data or anything generally more sensitive than logs Source: OWASP Application Logging Cheat Sheet© Copyright 2012 Denim Group - All Rights Reserved 21
  23. 23. Application logging blocking and tackling • Example application log #4 logger.debug("Failed login for user: " + logEscape(username));© Copyright 2012 Denim Group - All Rights Reserved 22
  24. 24. Application logging blocking and tackling • Example application log #5 logger.warn("User " + logEscape(username) + " attempted to access document id " + logEscape(documentId) + " without sufficient permissions"); ;© Copyright 2012 Denim Group - All Rights Reserved 23
  25. 25. WAF’s and application IDS • Broad set of technologies that enable enhanced application-layer logging • Provide insight into Port 90/443 where most firewall don’t have info • Can block certain attack patterns at the application layer • Most WAF’s in production are not set in blocking mode • Block obvious web application vulnerabilities like XSS & SQL Injection – Less effective on business logic or authorization rules© Copyright 2012 Denim Group - All Rights Reserved 24
  26. 26. AppSensor • A conceptual framework that offers guidance to implement intrusion detection capabilities into existing application • Utilizes standard security controls and recommendations for automated response policies based upon detected behavior. • Identifies malicious users within the application and eliminate the threat by taking response actions.© Copyright 2012 Denim Group - All Rights Reserved 25
  27. 27. AppSensor • An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. • By using AppSensor, it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.© Copyright 2012 Denim Group - All Rights Reserved 26
  28. 28. AppSensor • Behavior examples (~50) – 2 Detection Points 2.1 RequestException – 2.1.1 RE1: Unexpected HTTP Command – 2.1.2 RE2: Attempt to Invoke Unsupported HTTP Method – 2.1.3 RE3: GET When Expecting POST – 2.1.4 RE4: POST When Expecting GET – 2.1.5 RE5: Additional/Duplicated Data in Request – 2.1.6 RE6: Data Missing from Request – 2.1.7 RE7: Unexpected Quantity of Characters in Parameter – 2.1.8 RE8: Unexpected Type of Characters in Parameter© Copyright 2012 Denim Group - All Rights Reserved 27
  29. 29. Virtual patching for web applications • Receives vulnerabilities from application vulnerability scanners – Dynamic or static analysis (source code) reviews • Creates “virtual patches” that are sent to WAFs and block a URL – Mod Security – F5 – Imperva • Ecosystems being created to facilitate this process via certain open source tools – ThreadFix – Application vulnerability aggregation and management system • Enable defenders to block a vulnerable web page/application while developers are remediating source code© Copyright 2012 Denim Group - All Rights Reserved 28
  30. 30. References • “How to Do Application Logging Right,” Chuvakin, Anton, and Peterson, Gunnar – http://arctecgroup.net/pdf/howtoapplogging.pdf • From White Hat Website Security Statistics Report – https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf • “Magic Quadrant for Security Information and Event Management,” Garter Group, May 2012 – http://www.gartner.com/technology/reprints.do?id=1- 1AOG9W9&ct=120529&st=sb&elq=51f9879c322f4bc8b964591857bdafa1 • 2012 Verizon Breach Report • App Sensor Project, Open Web Application Security Project – https://www.owasp.org/index.php/OWASP_AppSensor_Project© Copyright 2012 Denim Group - All Rights Reserved 29
  31. 31. Contact Info John Dickson, CISSP & Principal (210) 572-4400 john@denimgroup.com Twitter: @johnbdickson© Copyright 2012 Denim Group - All Rights Reserved 30

×