This document discusses the importance of application logs for security purposes. It notes that while network, system and other logs have improved, application logs are still often lacking crucial context about user actions and application state. To effectively investigate issues, security analysts need a unified view of all log data, including details applications have about user sessions, access and functionality used. The document urges application developers to make more of this type of contextual log data available to defenders to help connect dots between different system components and entities.

1. Armorizing
Applications
Iftach Ian Amit
Director of Services
Friday, October 11, 13

2. Hi!
Friday, October 11, 13

3. I’m not an application guy :-|
Friday, October 11, 13

4. I’m a security guy
Who actually used to do some application stuff
Friday, October 11, 13

5. whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),
33(research),61(dev),79(red_team),80(sexy_defense),
81(exil),98(idf),100(dc9723),204(/dev/null)
Friday, October 11, 13

6. Attack?
Defense!
Friday, October 11, 13

7. So, I’ve been dealing with defense a lot
Friday, October 11, 13

8. As in - helping defenders get a head start
Friday, October 11, 13

9. Guess what? We are still failing on the basics...
Friday, October 11, 13

10. Logs...
Friday, October 11, 13

11. Logs...
Firewall
Friday, October 11, 13

12. Logs...
Firewall
IDS
Friday, October 11, 13

13. Logs...
Firewall
IDS
IPS
Friday, October 11, 13

14. Logs...
Firewall
IDS
IPS
Network
Friday, October 11, 13

15. Logs...
Firewall
IDS
IPS
Network
HTTPD
Friday, October 11, 13

16. Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS
Friday, October 11, 13

17. Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS DNS
Friday, October 11, 13

18. Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS DNS
Application?
Friday, October 11, 13

19. We still have sucky application logs :-(
Friday, October 11, 13

20. Friday, October 11, 13

21. I mean, we came a long way since web-app coding in the
90’s
I know. I’ve lived through it :-(
Friday, October 11, 13

22. Example:
Friday, October 11, 13

23. Example:
Friday, October 11, 13

24. Example:
Uses MVC.
Actually very nicely
architected...
Friday, October 11, 13

25. Example:
Uses MVC.
Actually very nicely
architected...
Friday, October 11, 13

26. Example:
Uses MVC.
Actually very nicely
architected...
Good start.At least
we can haz data.
Friday, October 11, 13

27. Example:
Uses MVC.
Actually very nicely
architected...
Good start.At least
we can haz data.
This is pretty
much useless*
Friday, October 11, 13

28. Example:
Uses MVC.
Actually very nicely
architected...
Good start.At least
we can haz data.
This is pretty
much useless*
* from a security perspective.
no doubt that when this breaks you’ll need it
Friday, October 11, 13

29. Let’s get back to basics for a sec here
Friday, October 11, 13

30. time=2013-03-02 23:59:57
action=drop
orig=192.168.1.103 i/
f_dir=inbound i/
f_name=eth1c0
has_accounting=0
product=VPN-1 & FireWall-1
policy_name=INTERNET
src=1.2.3.4 s_port=37586
dst=3.4.5.6 service=80
proto=tcp rule=16
xlatesrc=8.9.10.11
xlatesport=57517
xlatedport=0 NAT_rulenum=4
NAT_addtnl_rulenum=internal
Friday, October 11, 13

31. Friday, October 11, 13

32. but wait,
how about them HTTPD?
Friday, October 11, 13

33. 193.205.210.42 - - [09/Oct/2013:00:57:17 -0700] "GET /blog/2013/07/mail-encryption-for-android/ HTTP/1.1" 200 32064 "https://
www.google.it/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/
537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/comment-reply.min.js?ver=3.6.1 HTTP/1.1" 200 1068 "http://
www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/podpress/js/podpress.js?ver=3.6.1 HTTP/1.1" 200 40786
"http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.css?ver=2.5 HTTP/
1.1" 200 11641 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1" 200 21623
"http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1" 200 7484
"http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/podpress/players/1pixelout/1pixelout_audio-player.js
HTTP/1.1" 200 12305 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/wpgroho.js?ver=3.6.1 HTTP/1.1" 200
1212 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js?ver=20121205
HTTP/1.1" 200 39040 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.5.2 HTTP/1.1"
200 8610 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?
ver=3.40.0-2013.08.13 HTTP/1.1" 200 14910 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /favicon.ico HTTP/1.1" 200 1351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.10.2 HTTP/1.1" 200 93371 "http://
www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36Friday, October 11, 13

34. Don’t get me started...
Friday, October 11, 13

35. And that’s AFTER taking into account “log analyzers”
Friday, October 11, 13

36. “But you security guys have all these fancy SIEM stuff,
right?”
Friday, October 11, 13

37. Friday, October 11, 13

38. Friday, October 11, 13

39. Friday, October 11, 13

40. Yes, we have fancy dashboards
and graphs
and sometimes synchronized logs from multiple sources
But it’s still a pain in the tuches
Friday, October 11, 13

41. WHY?
Friday, October 11, 13

42. Friday, October 11, 13

43. The application has ALL THE CONTEXT
Friday, October 11, 13

44. Friday, October 11, 13

45. Friday, October 11, 13

46. Friday, October 11, 13

47. Yet you keep it to yourself
Friday, October 11, 13

48. This made me cry in joy:
Friday, October 11, 13

49. Friday, October 11, 13

50. Firewall Web Server
Client X
Client X
ClientY
Client X
ClientY
ClientY
Client X
Client X
Client X
ClientY
ClientY
index
items
index
items+a
items
items+c
checkout
login
confirm
checkout
confirm
Friday, October 11, 13

51. Firewall Web ServerApplication
Client X
Client X
ClientY
Client X
ClientY
ClientY
Client X
Client X
Client X
ClientY
ClientY
index
items
index
items+a
items
items+c
checkout
login
confirm
checkout
confirm
- John, from X, just
bought A and shipped
it paying with CC
- Client fromY tried to
bypass app logic and avoid
payment/auth
Friday, October 11, 13

52. Friday, October 11, 13

53. Friday, October 11, 13

54. Friday, October 11, 13

55. Rinse,
Lather,
Repeat
Friday, October 11, 13

56. Everywhere!
DB Access
Session Management
State Management
User Management
...
Friday, October 11, 13

57. Be a dot connector!
Friday, October 11, 13

58. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Friday, October 11, 13

59. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
Friday, October 11, 13

60. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
Friday, October 11, 13

61. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
>1yr dormant
Friday, October 11, 13

62. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering
Friday, October 11, 13

63. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering
Intl. transfers
Friday, October 11, 13

64. Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering
Intl. transfersInternal/
External???
Friday, October 11, 13

65. Account
Friday, October 11, 13

66. AccountAccountAccountAccountAccount
Friday, October 11, 13

67. List
AccountAccountAccountAccountAccount
Friday, October 11, 13

68. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
Friday, October 11, 13

69. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
Friday, October 11, 13

70. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Friday, October 11, 13

71. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Friday, October 11, 13

72. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Internal
user
Friday, October 11, 13

73. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Internal
user
Friday, October 11, 13

74. Marketing
Accounting
Branch mgmt.
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
List
AccountAccountAccountAccountAccount
Internal
user
Friday, October 11, 13

75. Internal
user
Friday, October 11, 13

76. Internal
user
PC
Friday, October 11, 13

77. Internal
user
PC
Friday, October 11, 13

78. Internal
user
PC Trojan
Friday, October 11, 13

79. Internal
user
PC Trojan
Friday, October 11, 13

80. Internal
user
PC Trojan
Friday, October 11, 13

81. Internal
user
PC Trojan
C&C
Friday, October 11, 13

82. Internal
user
PC Trojan
C&C
Bad Guys(tm)
Friday, October 11, 13

83. Log on context
Weird state changes
Repeatable expectable actions
Who, what, why
Help me get the story right!
Friday, October 11, 13

84. Questions? Comments!
Ian Amit
@iiamit
ian.amit@ioactive.com
Friday, October 11, 13