1 User, 10 Places, 100 Seconds #appsecapac2014

Transcript

1. Talks: 1 User, 10 Places, 100 Seconds © Copyright 2013

   Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 User, 10 Places, 100 Seconds

2. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

   The information contained herein is subject to change without notice. 2

3. Alarms go off at the IT Security Operations Center (IT

   SOC), right? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

4. Not really… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

   information contained herein is subject to change without notice. 4

5. OS, databases, storage IPS, routers, switches, firewalls, DLP Why not?

   Security Information and Event Management solution © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Servers, IAM, networking Applications Application Logs: • Few or uninteresting details • For debugging purposes • Not security related • Require custom connectors IT SOC Management solution

6. % of breaches that occur are application Why should we

   care about the applications? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. % application related *Gartner, 2013

7. Question? Application © Copyright 2013 Hewlett-Packard Development Company, L.P. The

   information contained herein is subject to change without notice. 7

8. How to make the application produce security logs? 1 Sniff

   traffic, or layer 7 interception Very incomplete © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 Application Source Code Developer Insert: • Log.warning(…) • Log.error(…) 2 Lot of work! In business and data layer

9. How to make the application produce security logs? Bottom line,

   need a mechanisms to: 3 Agent technology Agent per language © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 Bottom line, need a mechanisms to: public …{ … userLogin(username, password) … } public …{ … if( userLogin(username, password) ) Log.info(“User :”+username+” logged in!”); else Log.info(“User :”+username+” failed login!”); … }

10. Various options to do the implementation: Agents, how do they

    work? Aspect Oriented Instrumentation © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Debugging Profiling Link time code rewriting

11. What to gather with the agent? http://link... WS Call(…) Web-service

    activity Calling external pages © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 File activity Database activity

12. Interesting internal activity Security Exceptions © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 12 Crypto Exceptions

13. Up and running… what now? Applications © Copyright 2013 Hewlett-Packard

    Development Company, L.P. The information contained herein is subject to change without notice. 13

14. Need some visuals! © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 14 About what? Scenarios please!

15. Geo Location Discrepancy is trivial to detect now Action: login

    User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 User Visibility User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

16. … and knowing what that person did in the app

    Action: login User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

17. Multiple Authentications from the same IP Events Action: login User:

    eddie Action: login User: gary Action: login © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 User Visibility Action: login User: geoff …

18. Brute force password attack Events Action: login: Failed User: eddie

    Action: login: Failed User: eddie Action: login: Failed © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 User Visibility Action: login: Failed User: eddie Action: login: Successful User: eddie …

19. Who leaked classified docs? Events Action: access trade secrets User:

    eddie Trade secrets Action: - User: kate Action: - User: matt © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 User Visibility User: matt Trade secrets ?

20. Forensics © Copyright 2013 Hewlett-Packard Development Company, L.P. The information

    contained herein is subject to change without notice. 20 User Visibility Events

21. Examples please? Demo application: Riches © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 21 Real application: Apache Ofbiz

22. Let’s start easy: Get logs in to SIEM without Agents…

    Solution: write parser © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 Bottom line: A lot is missing... Key information around the user Severity Message

23. So, write an agent … example: Aspect Oriented Programming ©

    Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23

24. Let’s start easy… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 24

25. Without Agent Authentication Example Nothing! © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 25 With Agent

26. Example: Apache Example please! © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 26 End Users

27. Screen shot regular logging from Apache Ofbiz Not security related

    at all © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 And if it’s security related, it’s incomplete…

28. Application View: What did we get: What applications? Logging syslog

    © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 What did we get: • Log messages automatically • Track users logging in • Track everything user does in the application • Track exceptions thrown in the application • …

29. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 29 29

30. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 30 30

31. Tracking users… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 31

32. Tracking their behavior… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 32

33. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 33

34. Thank you © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice.