Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AppSensor - Near Real Time Event Detection and Response

2,526 views

Published on

AppSensor is an OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications.

There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that allows architects and developers to build into their applications a way to detect events and attacks, then automatically respond to them. Not only can this stop and/or reduce the impact of an attack, it gives you incredibly valuable visibility and security intelligence about the operational state of your applications.

Published in: Technology
  • Login to see the comments

AppSensor - Near Real Time Event Detection and Response

  1. 1. AppSensor ~real-time event detection and response
  2. 2. Agenda • who - prior work • why - motivations • what - the pitch • how - the tech • when - future plans • who - contributors
  3. 3. who
  4. 4. prior work • Network IDS (Denning, * others, NIST SP800-94) • Intrusion prevention • Fraud detection • Rules engines, Risk analysis/reduction (see Groves), HIDS
  5. 5. terminology • event - suspicious • attack - malicious (1 .. * events) • response - take action (1 .. 1 attack) • detection point - activity category (e.g. cookie modification)
  6. 6. why
  7. 7. ~5 yrs ago dev • mostly web apps [RoR, PHP, .NET, Java) • ajax (jquery) use growing • mobile just getting started • deployment to VMs • hadoop picking up • BI tools • AWS starting • cloud hype cycle (NIST defines)
  8. 8. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile
  9. 9. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile 1 .. * of [scale, speed, cloud, lack of environmental access]
  10. 10. dev buzzwords • devops • functional (FP) • agile • cqrs / event sourcing • cloud (-native) • iot • scalable • microservices • ci/cd • containers • big data • streaming
  11. 11. - LinkedIn, March 2015 “the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day.. At the busiest times of day, we are receiving over 13 million messages per second.” * Update (Sept 2015) : 1.1 Trillion messages per day
  12. 12. last ~5 yrs security • 3rd party libs (dep-check) • bug bounties • sast / dast evolve (ZAP) • iast / rasp • http security headers • automatic encoding (JXT) • *-monkey -NetflixOSS • bdd-security/gauntlt • ci/cd plugins • 2fa • osquery 1 .. * of [scale, speed, cloud, lack of environmental access]
  13. 13. dev vs. security • dev is exploiting fundamental architectural and deployment changes to add business value ! • security is iterating on existing solutions - and - trying to close gaps (known problems)
  14. 14. having to deal with [scale, speed, cloud, lack of environmental access] ! represents an enormous opportunity for security
  15. 15. what
  16. 16. the pitch • security can’t scale without dev + ops • automated response > manual response • make IDS primitives available at app layer • stop attacker before success • build self-protecting applications • gain valuable intel • benefit / extend (existing) secure sdlc efforts X success AppSensor
  17. 17. • picture 1
  18. 18. Correlation … and scale
  19. 19. how
  20. 20. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  21. 21. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  22. 22. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  23. 23. example @POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }
  24. 24. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }
  25. 25. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }! ! return Response.ok(); }
  26. 26. OWASP ASIDE • secure programming IDE plugin • educational component • https://www.owasp.org/index.php/ OWASP_ASIDE_Project
  27. 27. OWASP ASIDE
  28. 28. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  29. 29. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  30. 30. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  31. 31. OWASP ASIDE It  not  only  captures  the  context   informaFon  (e.g.  the  sensor  event  is   from  username  field),  but  also   records  that  the  sensor  event  is  due   to  an  exceedingly  lengthy  input.  
  32. 32. Detec%on(Point(Type( Detec%on(Points(Covered( Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username. AE5:.Unexpected.Quan'ty.of.Characters.in.Password. AE6:.Unexpected.Type.of.Character.in.Username. AE7:.Unexpected.Type.of.Character.in.Password. InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt. EncodingExcep'on. EE1:.Double.Encoded.Character. EE2:.Unexpected.Encoding.Used. CommandInjec'onExcep 'on. CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values. Detec%on(Points(Picked( Corresponding(ASIDE(APIs( AE4:%Unexpected%Quan1ty% of%Characters%in%Username% AE5:%Unexpected%Quan1ty% of%Characters%in%Password% Java.lang.String% ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)% AE6:%Unexpected%Type%of% Character%in%Username% AE7:%Unexpected%Type%of% Character%in%Password% Java.lang.String% ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)% IE1:%Cross%Site%Scrip1ng% AKempt% Java.lang.String% ASIDE.XSSSensor(Java.lang.String%parameter)% EE1:%Double%Encoded% Character% EE2:%Unexpected%Encoding% Used% Java.lang.String% ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)% CIE1:%Blacklist%Inspec1on%for% Common%SQL%Injec1on% Values% Java.lang.String% ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%
  33. 33. OWASP ASIDE • eclipse IDE • reminder icon or highlight • drop down list of applicable sensors • auto-insertion of ASIDE sensor APIs and code refactoring
  34. 34. owasp SoC sprint • Sumanth Damarla • 6 weeks • appsensor -> ELK stack • appsensor -> influxdb -> grafana
  35. 35. owasp SoC sprint
  36. 36. owasp SoC sprint
  37. 37. owasp SoC sprint
  38. 38. owasp SoC sprint
  39. 39. owasp SoC sprint
  40. 40. owasp SoC sprint
  41. 41. machine learning • very simple analysis • generated demo dataset for 1-week • build base model • look for “anomalies”
  42. 42. DEMO appsensor UI & exception handling example
  43. 43. when
  44. 44. future • better story for adding detection points • more (canned) analysis (exploring machine learning, expert systems) • more integrations • standard refactoring / maintenance
  45. 45. you • help wanted! • plenty of places to contribute and improve • friendly, helpful community • https://github.com/jtmelton/appsensor/issues • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Road_Map_ and_Getting_Involved
  46. 46. who
  47. 47. related projects • ensnare • fido • riemann • elastalert
  48. 48. pick a tool … ! but use the idea
  49. 49. contributors • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Acknowledgements
  50. 50. me • appsensor dev lead • twitter: @_jtmelton • email: jtmelton@gmail.com • github: jtmelton
  51. 51. links • https://www.owasp.org/index.php/ OWASP_AppSensor_Project • http://appsensor.org/ • https://github.com/jtmelton/appsensor
  52. 52. ?

×