Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attack Detection and Prevention with OWASP AppSensor Colin Watson Watson Hall Ltd watsonhall.com.

Published byBrian Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "Attack Detection and Prevention with OWASP AppSensor Colin Watson Watson Hall Ltd watsonhall.com."— Presentation transcript:

1 Attack Detection and Prevention with OWASP AppSensor Colin Watson Watson Hall Ltd colin @ watsonhall.com

2 OWASP AppSensor

3 AppSensor Established Summer 2008 Presented at multiple conferences in US & Europe Recent video presentations by Michael Coates Real Time Application Defenses - The Reality of AppSensor & ESAPI http://vimeo.com/15726323 http://vimeo.com/15726323 Automated Application Defenses to Thwart Advanced Attackers http://michael-coates.blogspot.com/2010/06/online-presentation-thursday- automated.html http://michael-coates.blogspot.com/2010/06/online-presentation-thursday- automated.html Application Based Intrusion Detection highlighted in OWASP Top Ten 2010 “What’s Coming”

4 AppSensor Team Core team: Michael Coates John Melton Colin Watson Contributors: Ryan Barnett Simon Bennetts August Detlefsen Randy Janida Jim Manico Giri Nambari Eric Sheridan John Stevens Kevin Wall

5 AppSensor concepts

6 Add AppSensor to your own applications Build it into requirements Develop your own ESAPI AppSensor integration into Java ESAPI imminent Security Information/Event Management Add detection points into application Integrate logging into real time monitor

7 AppSensor detection points A detection point is a highly-tuned “instrumentation” sensor (within the application’s code) and used to identify a particular type of suspicious or malicious activity Over 50 detection points 12 exception types 9 signature based (request, authentication, session, etc) 3 behavior based (user, system, reputation) Latest list of detection points with descriptions, considerations and examples is maintained at: http://www.owasp.org/index.php/AppSensor_DetectionPoints http://www.owasp.org/index.php/AppSensor_DetectionPoints

8 Detection point exception types “locking a user account after multiple failed authentication attempts” “blocking requests using the TRACE HTTP method”“limiting each session to a particular IP address”

9 AppSensor response actions Response actions describe a change to the application’s behavior 14 response actions Many ways to categorize them, including: Effect on user / application Target of response Duration of response Latest list of response actions with descriptions, considerations and examples is maintained at: http://www.owasp.org/index.php/AppSensor_ResponseActions http://www.owasp.org/index.php/AppSensor_ResponseActions

10 Response actions from the user’s viewpoint

11 Implementation planning methodology 1. Preliminary requirements 2. Detection point selection 3. Response action selection Then Procure/develop Deploy Verify Monitor and tune

12 1. Preliminary requirements

13 1a) Application risk assessment Many alternative methods and processes: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf http://www.sans.org/reading_room/whitepapers/auditing/introduction- information-system-risk-management_1204 http://www.sans.org/reading_room/whitepapers/auditing/introduction- information-system-risk-management_1204 http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology http://www.owasp.org/index.php/Threat_Risk_Modeling http:// www.nr.no/~abie/RiskAnalysis.htm http:// www.nr.no/~abie/RiskAnalysis.htm Application risk ranking

14 1b) Secure coding (and deployment) Build the application securely Governance Construction Verification Deployment Software Assurance Maturity Model http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Application Security Verification Standard http://www.owasp.org/index.php/ASVS http://www.owasp.org/index.php/ASVS OWASP Development, Code Review and Testing Guides OWASP Secure Coding Practices Quick Reference Guide

15 1c) Application logging How to Do Application Logging Right Anton Chuvakin and Gunnar Peterson, IEEE Security & Privacy Journal http://arctecgroup.net/pdf/howtoapplogging.pdf http://arctecgroup.net/pdf/howtoapplogging.pdf Securosis Blog - Monitoring Up the Stack series http://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-1 http://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-2 http://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-1 http://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-2 OWASP AppSensorDemo2 Intrusion Store (HSQLDB) http://code.google.com/p/appsensor/source/browse/#svn/trunk/AppSensorDemo2 http://code.google.com/p/appsensor/source/browse/#svn/trunk/AppSensorDemo2 OWASP ESAPI Java Edition documentation http://code.google.com/p/owasp-esapi-java/ http://code.google.com/p/owasp-esapi-java/ Preventing Log Forging in Java http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/ http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/ NIST SP 800-92 Guide to Computer Security Log Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

16 2. Detection point selection

17 2a) Categorization Exception types Signature or behavior based Suspicious events or attacks Outcome/result of the request, or request properties Classes: Discrete Generic pre-processing Business layer Aggregating Modifying

18 2a) Categorization (continued)

19 2b) Requirements Approaches: Classes Discrete Generic pre-processing Business layer Aggregating Modifying Application risk classification Threat assessment

20 2b) Requirements (continued)

21

22 2c) Model development Specification for each detection point: purpose general statement of its functionality details of any prerequisites related detection points. Duplicate codes Aggregating detection points

23 2c) Model development (continued)

24

25 2d) Optimization Three aims Ensure we maintain a low false positive rate through adjusting the sensitivity Consider relationships with other systems and the effects these may have on detection points Identify if any detection points can be removed to eliminate overlaps and duplicates Test cases

26 2e) Code location Instrumentation not new functionality Process Procurement Development Frameworks Libraries Common code / business layer

27 2f) Attack analysis Attack vectors Threat modelling WASC Threat Classification v2.0 http://projects.webappsec.org/Threat-Classification http://projects.webappsec.org/Threat-Classification OWASP Top Ten 2010 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Common Attack Pattern Enumeration and Classification http://capec.mitre.org/ http://capec.mitre.org/ Check the model Detection points are activation Human error

28 3. Response action selection

29 3a) Strategic requirements Organizational risk tolerance User experience Application’s purpose “Do not prevent users doing anything, but log, monitor and alert fervently.” “Authenticated administrators who have access to the most functionality and the greatest data access permissions should have the strictest thresholds before a response action is undertaken.” “Application functionality will not be changed unless the user's source location is in a higher-risk country.”

30 3b) Thresholds Approaches Role dependent Per detection point / per application Weightings of suspicious and attack events User events and user trends Individual detection points Overall number of security events System trend detection points Modifying detection points

31 3b) Thresholds (continued)

32 3c) Model tuning Attacks Typical user activities Speed of use Static content Missing content Actions that disable features or the application Other systems Business metrics

33 3c) Model tuning (continued) Only log Source location override Export Vulnerability management programmes Security integration manager (SIM) systems Secure development practices

34 Plan execution

35 Implementation Secure development practices: Risk analysis Design and code review Testing Operational enablement Change management Monitoring and tuning Ongoing testing

36 Quick start

37 Piloting AppSensor / fast-track approach Focus on input, signature based detection points that detect attacks rather than suspicious events in the discrete class: Request exceptions (RE1, 2, 3 and 4 ) Access control exception (ACE1 and 2) Input exceptions (IE1, 2 and 3) Authentication exceptions (AE1, 2 and 3) and Session Management exceptions (SE5 and 6) when authentication & session management is use And limit response actions to additional logging (ASR-A), administrator notification (ASR-B), account logout (ASR-J) & account lockout (ASR-K). Do it with ESAPI

38 Concluding thoughts

39 Supporting materials AppSensor Project: Home page http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project Detection points http://www.owasp.org/index.php/AppSensor_DetectionPoints http://www.owasp.org/index.php/AppSensor_DetectionPoints Response actions http://www.owasp.org/index.php/AppSensor_ResponseActions http://www.owasp.org/index.php/AppSensor_ResponseActions Mailing lists https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Planning guide and workbook http://www.owasp.org/index.php/File:Appsensor-planning.zip http://www.owasp.org/index.php/File:Appsensor-planning.zip

40 Related presentations at AppSec DC 2010 Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers Dan Cornell http://www.owasp.org/index.php/Application_Portfolio_Risk_Ranking:_Banishing_FU D_With_Structure_and_Numbers http://www.owasp.org/index.php/Application_Portfolio_Risk_Ranking:_Banishing_FU D_With_Structure_and_Numbers Solving Real World Problems with ESAPI Chris Schmidt http://www.owasp.org/index.php/Solving_Real_World_Problems_with_ESAPI http://www.owasp.org/index.php/Solving_Real_World_Problems_with_ESAPI Next: OWASP ModSecurity Core Rule Set Ryan Barnett http://www.owasp.org/index.php/OWASP_ModSecurity_Core_Rule_Set http://www.owasp.org/index.php/OWASP_ModSecurity_Core_Rule_Set

41 Questions and feedback Now During the last two breaks today Subsequently colin @ watsonhall.com +44 20 7183 3710 Photographs: Machinery and instrumentation at the Discovery Museum, Tyne & Wear Archives and Museums, Newcastle-upon-Tyne, England

Download ppt "Attack Detection and Prevention with OWASP AppSensor Colin Watson Watson Hall Ltd watsonhall.com."

Similar presentations

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
Security Guidelines and Management

Security Guidelines and Management
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
S T A M © 2000, KPA Ltd. Software Trouble Assessment Matrix Software Trouble Assessment Matrix *This presentation is extracted from SOFTWARE PROCESS QUALITY:

S T A M © 2000, KPA Ltd. Software Trouble Assessment Matrix Software Trouble Assessment Matrix *This presentation is extracted from SOFTWARE PROCESS QUALITY:
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”

How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google