This document discusses how Etsy uses data metrics and analytics to secure its ecommerce platform. It summarizes how Etsy collects application statistics and metrics, visualizes data using graphs, analyzes logs and databases to detect anomalies and security incidents, and shares case studies of how metrics helped address issues like full-site SSL adoption, fraud detection, and blocking bad bots. The document emphasizes that an application's security posture is directly related to how much is known about the application from collected data and metrics.
44. analytics_cascade do
analytics_flow do
analytics_source 'event_logs'
tap_db_snapshot 'users_index'
assembly 'event_logs' do
group_by 'user_id', 'scheme' do
count 'value'
end
end
assembly 'users_index' do
project 'user_id', 'is_seller'
end
assembly 'ssl_traffic' do
project 'user_id', 'is_seller', 'scheme', 'value'
group_by 'is_seller', 'scheme' do
count 'value'
end
end
analytics_sink 'ssl_traffic'
end
end
50. analytics_cascade do
analytics_flow do
analytics_source 'access_logs'
assembly 'incident_response' do
query_event 'timestamp', 'request_uri', 'useragent', 'ip'
where '"/bad_url.php'".equals(request_uri:string)
group_by ’url’ do
count 'value'
end
end
analytics_sink 'incident_response'
end
end
56. • Per time period, count password resets
• Sort the amounts
• Discard outliers
• Average remaining
• Compare with past known attacks
Big Data Answer
77. Detection
Nick Galbreath at DefCon 20
“LibInjection” for detecting SQLi
Does it parse as SQL? Yes, then it’s
SQL
Do you have “.aspx” files? No, then why
is someone requesting one?
78. if (preg_match(self::PATTERNXSS, $this->url) == true)
{ $msg = “attacktype=XSS url=” . $this->url;
Logger::log_info($msg, ‘SECURITY’);
StatsD::increment(‘security.potential_xss’); if (!
$this->rate->checkIncrement(self::XSS_WEIGHT)) { $this-
>drop_request = true; }
}
Log and Limit
82. ! Instrument your application, log
everything
! Get familiar with data resources: people
and tools
! Use your data to help drive security
alerts, investigations, and actions