appsensor - near real time event detection and response
TRANSCRIPT
![Page 1: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/1.jpg)
AppSensor~real-time event detection and response
![Page 2: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/2.jpg)
![Page 3: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/3.jpg)
Agenda• who - prior work
• why - motivations
• what - the pitch
• how - the tech
• when - future plans
• who - contributors
![Page 4: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/4.jpg)
who
![Page 5: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/5.jpg)
prior work
• Network IDS (Denning, * others, NIST SP800-94)
• Intrusion prevention
• Fraud detection
• Rules engines, Risk analysis/reduction (see Groves), HIDS
![Page 6: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/6.jpg)
terminology
• event - suspicious
• attack - malicious (1 .. * events)
• response - take action (1 .. 1 attack)
• detection point - activity category (e.g. cookie modification)
![Page 7: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/7.jpg)
why
![Page 8: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/8.jpg)
~5 yrs ago dev
• mostly web apps [RoR, PHP, .NET, Java)
• ajax (jquery) use growing
• mobile just getting started
• deployment to VMs
• hadoop picking up
• BI tools
• AWS starting
• cloud hype cycle (NIST defines)
![Page 9: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/9.jpg)
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile
![Page 10: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/10.jpg)
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile 1 .. * of [scale, speed, cloud, lack of environmental access]
![Page 11: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/11.jpg)
dev buzzwords• devops
• functional (FP)
• agile
• cqrs / event sourcing
• cloud (-native)
• iot
• scalable
• microservices
• ci/cd
• containers
• big data
• streaming
![Page 12: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/12.jpg)
![Page 13: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/13.jpg)
- LinkedIn, March 2015
“the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day..
At the busiest times of day, we are receiving over 13 million messages per second.”
* Update (Sept 2015) : 1.1 Trillion messages per day
![Page 14: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/14.jpg)
last ~5 yrs security
• 3rd party libs (dep-check)
• bug bounties
• sast / dast evolve (ZAP)
• iast / rasp
• http security headers
• automatic encoding (JXT)
• *-monkey -NetflixOSS
• bdd-security/gauntlt
• ci/cd plugins
• 2fa
• osquery
1 .. * of [scale, speed, cloud, lack of environmental access]
![Page 15: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/15.jpg)
dev vs. security
• dev is exploiting fundamental architectural and deployment changes to add business value
!
• security is iterating on existing solutions - and - trying to close gaps (known problems)
![Page 16: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/16.jpg)
having to deal with [scale, speed, cloud, lack of
environmental access] !
represents an enormous opportunity for security
![Page 17: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/17.jpg)
what
![Page 18: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/18.jpg)
the pitch• security can’t scale without dev + ops
• automated response > manual response
• make IDS primitives available at app layer
• stop attacker before success
• build self-protecting applications
• gain valuable intel
• benefit / extend (existing) secure sdlc efforts
X successAppSensor
![Page 19: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/19.jpg)
• picture 1
![Page 20: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/20.jpg)
![Page 21: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/21.jpg)
Correlation … and scale
![Page 22: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/22.jpg)
![Page 23: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/23.jpg)
![Page 24: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/24.jpg)
![Page 25: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/25.jpg)
how
![Page 26: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/26.jpg)
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 27: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/27.jpg)
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 28: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/28.jpg)
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 29: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/29.jpg)
example@POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }
![Page 30: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/30.jpg)
example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }
![Page 31: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/31.jpg)
example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }!! return Response.ok(); }
![Page 32: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/32.jpg)
OWASP ASIDE
• secure programming IDE plugin
• educational component
• https://www.owasp.org/index.php/OWASP_ASIDE_Project
![Page 33: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/33.jpg)
OWASP ASIDE
![Page 34: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/34.jpg)
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
![Page 35: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/35.jpg)
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
![Page 36: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/36.jpg)
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
![Page 37: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/37.jpg)
OWASP ASIDE
It not only captures the context informaFon (e.g. the sensor event is from username field), but also records that the sensor event is due to an exceedingly lengthy input.
![Page 38: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/38.jpg)
Detec%on(Point(Type( Detec%on(Points(Covered(
Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username.AE5:.Unexpected.Quan'ty.of.Characters.in.Password.AE6:.Unexpected.Type.of.Character.in.Username.AE7:.Unexpected.Type.of.Character.in.Password.
InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt.
EncodingExcep'on. EE1:.Double.Encoded.Character.EE2:.Unexpected.Encoding.Used.
CommandInjec'onExcep'on.
CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values.
Detec%on(Points(Picked( Corresponding(ASIDE(APIs(
AE4:%Unexpected%Quan1ty%of%Characters%in%Username%AE5:%Unexpected%Quan1ty%of%Characters%in%Password%
Java.lang.String%ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)%
AE6:%Unexpected%Type%of%Character%in%Username%AE7:%Unexpected%Type%of%Character%in%Password%
Java.lang.String%ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)%
IE1:%Cross%Site%Scrip1ng%AKempt%
Java.lang.String%ASIDE.XSSSensor(Java.lang.String%parameter)%
EE1:%Double%Encoded%Character%EE2:%Unexpected%Encoding%Used%
Java.lang.String%ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)%
CIE1:%Blacklist%Inspec1on%for%Common%SQL%Injec1on%Values%
Java.lang.String%ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%
![Page 39: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/39.jpg)
OWASP ASIDE
• eclipse IDE
• reminder icon or highlight
• drop down list of applicable sensors
• auto-insertion of ASIDE sensor APIs and code refactoring
![Page 40: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/40.jpg)
owasp SoC sprint
• Sumanth Damarla
• 6 weeks
• appsensor -> ELK stack
• appsensor -> influxdb -> grafana
![Page 41: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/41.jpg)
owasp SoC sprint
![Page 42: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/42.jpg)
owasp SoC sprint
![Page 43: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/43.jpg)
owasp SoC sprint
![Page 44: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/44.jpg)
owasp SoC sprint
![Page 45: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/45.jpg)
owasp SoC sprint
![Page 46: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/46.jpg)
owasp SoC sprint
![Page 47: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/47.jpg)
machine learning
• very simple analysis
• generated demo dataset for 1-week
• build base model
• look for “anomalies”
![Page 48: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/48.jpg)
![Page 49: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/49.jpg)
DEMOappsensor UI
& exception handling example
![Page 50: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/50.jpg)
when
![Page 51: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/51.jpg)
future
• better story for adding detection points
• more (canned) analysis (exploring machine learning, expert systems)
• more integrations
• standard refactoring / maintenance
![Page 52: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/52.jpg)
you• help wanted!
• plenty of places to contribute and improve
• friendly, helpful community
• https://github.com/jtmelton/appsensor/issues
• https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved
![Page 53: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/53.jpg)
who
![Page 54: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/54.jpg)
related projects
• ensnare
• fido
• riemann
• elastalert
![Page 55: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/55.jpg)
pick a tool … !
but use the idea
![Page 56: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/56.jpg)
contributors• https://www.owasp.org/index.php/
OWASP_AppSensor_Project#tab=Acknowledgements
![Page 58: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/58.jpg)
links
• https://www.owasp.org/index.php/OWASP_AppSensor_Project
• http://appsensor.org/
• https://github.com/jtmelton/appsensor
![Page 59: AppSensor - Near Real Time Event Detection and Response](https://reader031.vdocuments.site/reader031/viewer/2022030207/58a94fc21a28ab77408b49d3/html5/thumbnails/59.jpg)
?