SlideShare a Scribd company logo

Graphing for Security

M
mr_secure

Short presentation on how graphing tools can be leveraged for security usages.

Technology
1 of 43
Download to read offline
Graphing for Security Ben Allen @mr_secure
whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
Structural Overview
Data Sources
Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
Framework Integration
Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
Dashboard Ideas
Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
one metric – many systems
Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
Server Errors Dashboard
Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
Questions
References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
Miscellany
Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
Grafana Tips ● Use annotations – Esp. code releases, change windows

Recommended

Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbBb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Matthew Saltzman
 
Training Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsTraining Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of Applications
OutSystems
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
SNP Effect viewing and Graphing
SNP Effect viewing and GraphingSNP Effect viewing and Graphing
SNP Effect viewing and Graphing
HIRA Zaidi
 
Cause and effect graphic organizer
Cause and effect graphic organizerCause and effect graphic organizer
Cause and effect graphic organizer
sglar226
 
Cause & Effect
Cause & EffectCause & Effect
Cause & Effect
rodriguez_c
 
Cause effect graphing technique
Cause effect graphing techniqueCause effect graphing technique
Cause effect graphing technique
Ankush Kumar
 

Recommended

Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbBb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Matthew Saltzman
 
Training Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsTraining Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of Applications
OutSystems
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
SNP Effect viewing and Graphing
SNP Effect viewing and GraphingSNP Effect viewing and Graphing
SNP Effect viewing and Graphing
HIRA Zaidi
 
Cause and effect graphic organizer
Cause and effect graphic organizerCause and effect graphic organizer
Cause and effect graphic organizer
sglar226
 
Cause & Effect
Cause & EffectCause & Effect
Cause & Effect
rodriguez_c
 
Cause effect graphing technique
Cause effect graphing techniqueCause effect graphing technique
Cause effect graphing technique
Ankush Kumar
 
Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
Paris Salesforce Developer Group
 
QSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load RunnerQSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load Runner
Qspiders - Software Testing Training Institute
 
Resolving problems & high availability
Resolving problems & high availabilityResolving problems & high availability
Resolving problems & high availability
Zend by Rogue Wave Software
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
ICF CIRCUIT
 
Software Performance
Software Performance Software Performance
Software Performance
Prabhanshu Saraswat
 
Holistic Approach To Monitoring
Holistic Approach To MonitoringHolistic Approach To Monitoring
Holistic Approach To Monitoring
Melanie Cey
 
Performance Testing Overview
Performance Testing OverviewPerformance Testing Overview
Performance Testing Overview
James Venetsanakos
 
10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud
Intuit Inc.
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performance
Engine Yard
 
Performance Testing
Performance TestingPerformance Testing
Performance Testing
Anu Shaji
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
Richard Robinson
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance Management
Noriaki Tatsumi
 
Application Performance Tuning Techniques
Application Performance Tuning TechniquesApplication Performance Tuning Techniques
Application Performance Tuning Techniques
Ram Nagesh
 
Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructure
harendra_pathak
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
Betclic Everest Group Tech Team
 
Web Performance Optimization (WPO)
Web Performance Optimization (WPO)Web Performance Optimization (WPO)
Web Performance Optimization (WPO)
Betclic Everest Group Tech Team
 
Performance eng prakash.sahu
Performance eng prakash.sahuPerformance eng prakash.sahu
Performance eng prakash.sahu
Dr. Prakash Sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
Scott Hoag
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

More Related Content

Similar to Graphing for Security

Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructure
harendra_pathak
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
Scott Hoag
 

Similar to Graphing for Security (20)

Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
 
QSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load RunnerQSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load Runner
 
Resolving problems & high availability
Resolving problems & high availabilityResolving problems & high availability
Resolving problems & high availability
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
 
Software Performance
Software Performance Software Performance
Software Performance
 
Holistic Approach To Monitoring
Holistic Approach To MonitoringHolistic Approach To Monitoring
Holistic Approach To Monitoring
 
Performance Testing Overview
Performance Testing OverviewPerformance Testing Overview
Performance Testing Overview
 
10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performance
 
Performance Testing
Performance TestingPerformance Testing
Performance Testing
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance Management
 
Application Performance Tuning Techniques
Application Performance Tuning TechniquesApplication Performance Tuning Techniques
Application Performance Tuning Techniques
 
Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructure
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
Web Performance Optimization (WPO)
Web Performance Optimization (WPO)Web Performance Optimization (WPO)
Web Performance Optimization (WPO)
 
Performance eng prakash.sahu
Performance eng prakash.sahuPerformance eng prakash.sahu
Performance eng prakash.sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Graphing for Security

  • 1. Graphing for Security Ben Allen @mr_secure
  • 2. whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
  • 3. Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
  • 6. Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
  • 7. Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
  • 8. Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
  • 9. Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
  • 10. Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
  • 12. Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
  • 13. Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
  • 14. Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
  • 15. Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
  • 16. Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
  • 17. Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
  • 19. Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
  • 20. Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
  • 21. one metric – many systems
  • 22. Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
  • 23. Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
  • 24. Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
  • 25. Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
  • 26. Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
  • 27. Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
  • 28. Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
  • 30. Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
  • 31. Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
  • 32. Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
  • 33. Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
  • 34. Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
  • 35. Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
  • 36. Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
  • 37. Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
  • 39. References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
  • 41. Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
  • 42. Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
  • 43. Grafana Tips ● Use annotations – Esp. code releases, change windows