AppSensor - Near Real Time Event Detection and Response

60 %
40 %
Information about AppSensor - Near Real Time Event Detection and Response

Published on September 26, 2015

Author: jtmelton

Source: slideshare.net

1. AppSensor ~real-time event detection and response

2. Agenda • who - prior work • why - motivations • what - the pitch • how - the tech • when - future plans • who - contributors

3. who

4. prior work • Network IDS (Denning, * others, NIST SP800-94) • Intrusion prevention • Fraud detection • Rules engines, Risk analysis/reduction (see Groves), HIDS

5. terminology • event - suspicious • attack - malicious (1 .. * events) • response - take action (1 .. 1 attack) • detection point - activity category (e.g. cookie modification)

6. why

7. ~5 yrs ago dev • mostly web apps [RoR, PHP, .NET, Java) • ajax (jquery) use growing • mobile just getting started • deployment to VMs • hadoop picking up • BI tools • AWS starting • cloud hype cycle (NIST defines)

8. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile

9. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile 1 .. * of [scale, speed, cloud, lack of environmental access]

10. dev buzzwords • devops • functional (FP) • agile • cqrs / event sourcing • cloud (-native) • iot • scalable • microservices • ci/cd • containers • big data • streaming

11. - LinkedIn, March 2015 “the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day.. At the busiest times of day, we are receiving over 13 million messages per second.” * Update (Sept 2015) : 1.1 Trillion messages per day

12. last ~5 yrs security • 3rd party libs (dep-check) • bug bounties • sast / dast evolve (ZAP) • iast / rasp • http security headers • automatic encoding (JXT) • *-monkey -NetflixOSS • bdd-security/gauntlt • ci/cd plugins • 2fa • osquery 1 .. * of [scale, speed, cloud, lack of environmental access]

13. dev vs. security • dev is exploiting fundamental architectural and deployment changes to add business value ! • security is iterating on existing solutions - and - trying to close gaps (known problems)

14. having to deal with [scale, speed, cloud, lack of environmental access] ! represents an enormous opportunity for security

15. what

16. the pitch • security can’t scale without dev + ops • automated response > manual response • make IDS primitives available at app layer • stop attacker before success • build self-protecting applications • gain valuable intel • benefit / extend (existing) secure sdlc efforts X success AppSensor

17. • picture 1

18. Correlation … and scale

19. how

20. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

21. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

22. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

23. example @POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }

24. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }

25. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }! ! return Response.ok(); }

26. OWASP ASIDE • secure programming IDE plugin • educational component • https://www.owasp.org/index.php/ OWASP_ASIDE_Project

27. OWASP ASIDE

28. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  

29. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  

30. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  

31. OWASP ASIDE It  not  only  captures  the  context   informaFon  (e.g.  the  sensor  event  is   from  username  field),  but  also   records  that  the  sensor  event  is  due   to  an  exceedingly  lengthy  input.  

32. Detec%on(Point(Type( Detec%on(Points(Covered( Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username. AE5:.Unexpected.Quan'ty.of.Characters.in.Password. AE6:.Unexpected.Type.of.Character.in.Username. AE7:.Unexpected.Type.of.Character.in.Password. InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt. EncodingExcep'on. EE1:.Double.Encoded.Character. EE2:.Unexpected.Encoding.Used. CommandInjec'onExcep 'on. CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values. Detec%on(Points(Picked( Corresponding(ASIDE(APIs( AE4:%Unexpected%Quan1ty% of%Characters%in%Username% AE5:%Unexpected%Quan1ty% of%Characters%in%Password% Java.lang.String% ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)% AE6:%Unexpected%Type%of% Character%in%Username% AE7:%Unexpected%Type%of% Character%in%Password% Java.lang.String% ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)% IE1:%Cross%Site%Scrip1ng% AKempt% Java.lang.String% ASIDE.XSSSensor(Java.lang.String%parameter)% EE1:%Double%Encoded% Character% EE2:%Unexpected%Encoding% Used% Java.lang.String% ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)% CIE1:%Blacklist%Inspec1on%for% Common%SQL%Injec1on% Values% Java.lang.String% ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%

33. OWASP ASIDE • eclipse IDE • reminder icon or highlight • drop down list of applicable sensors • auto-insertion of ASIDE sensor APIs and code refactoring

34. owasp SoC sprint • Sumanth Damarla • 6 weeks • appsensor -> ELK stack • appsensor -> influxdb -> grafana

35. owasp SoC sprint

36. owasp SoC sprint

37. owasp SoC sprint

38. owasp SoC sprint

39. owasp SoC sprint

40. owasp SoC sprint

41. machine learning • very simple analysis • generated demo dataset for 1-week • build base model • look for “anomalies”

42. DEMO appsensor UI & exception handling example

43. when

44. future • better story for adding detection points • more (canned) analysis (exploring machine learning, expert systems) • more integrations • standard refactoring / maintenance

45. you • help wanted! • plenty of places to contribute and improve • friendly, helpful community • https://github.com/jtmelton/appsensor/issues • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Road_Map_ and_Getting_Involved

46. who

47. related projects • ensnare • fido • riemann • elastalert

48. pick a tool … ! but use the idea

49. contributors • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Acknowledgements

50. me • appsensor dev lead • twitter: @_jtmelton • email: jtmelton@gmail.com • github: jtmelton

51. links • https://www.owasp.org/index.php/ OWASP_AppSensor_Project • http://appsensor.org/ • https://github.com/jtmelton/appsensor

52. ?

Add a comment

Related pages

OWASP AppSensor : Application-Specific Real-Time Attack ...

OWASP AppSensor : Application-Specific Real-Time ... or attack event. AppSensor’s detection unit ... real-time detection and response to ...
Read more

Crime Event Detection System based on Twitter data.wmv ...

Crime Event Detection System based on ... AppSensor: Real-Time Event Detection ... JAVA 2013 WARNINGBIRD A Near Real time Detection ...
Read more

Tweet Analysis for Real-Time Event Detection and ...

Tweet Analysis for Real-Time Event Detection and Earthquake Reporting ... Real-Time Event Detection ... Near Real-Time Detection ...
Read more

[Owasp-appsensor-project] NIST SP 800-137 Initial Public ...

... and feel it seems to neglect actual real time (referring to "near ... detection and response. Neither "Event ... AppSensor_DetectionPoints · Response ...
Read more

Application Layer Intrusion Detection with Combination of ...

Real-time detection and prevention ... basis for prevention in real-time, near real-time ... John Melton, Colin W atson, OW ASP AppSensor Detection ...
Read more

Characterizing social response to urban earthquakes using ...

Characterizing social response ... real-time event detection ... We design and implement a system that tracks I/O activities of smartphones in real-time ...
Read more

OWASP AppSec USA 2013: Open Mic: Password Breaches - Why ...

View more about this event ... AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response ...
Read more

DevNexus 2016 | Presentations

Toggle navigation. Presentations . Presentations by Track; Presentations by Room; Presentations by Name
Read more