new techniques in application intrusion detection
TRANSCRIPT
![Page 1: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/1.jpg)
New Techniques in Application Intrusion DetectionAl Huizenga, Mykonos Product ManagerMay 2010
![Page 2: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/2.jpg)
Today
• Who am I?• Director of Product Management, Mykonos
• 11 years experience marketing Web-based products and technologies
• Canadian. Eh.
• The Agenda• The problem of Web application abuse
• Current options
• Application intrusion detection and response
• AppSensor vs. Mykonos Security Appliance
![Page 3: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/3.jpg)
The Problem
The Cost of Web Application Abuse
Fraud! Defacement!
Identify Theft!
Loss of business!
Brand damage!
Economic Growth!
![Page 4: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/4.jpg)
How Big is the Problem?
Big, and Getting Bigger
•$4.0B in Fraud (2008 Cybersource)
•$50B in Identity Theft (2009 FTC)
•$16B Credit Card Fraud (2008 Mercator Advisory Group)
• $204 - Cost of Data Breachper Customer Record(Ponemon Institute 2009)
• $1T - Global Cost of Cyber Crime(McAfee 2008)
![Page 5: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/5.jpg)
The Challenge
How to Secure Legacy Apps from Abuse
Fix It.
Firewall It.
![Page 6: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/6.jpg)
The Anatomy of a Web Attack
Phase 1Silent Introspection
Phase 2Attack Vector Establishment
Phase 3Attack Implementation
Phase 4AttackAutomation
Phase 5Maintenance
WAFs play here.
![Page 7: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/7.jpg)
Early Detection
What about all the requests before an attack is delivered?
Malicious activity detected
Attack vector established
Number of Requests
![Page 8: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/8.jpg)
Is there another way?
Add Security Logic to the App
• Can you extend legacy apps to detect malicious activity from within the app itself, before a user is able to identify and exploit a vulnerability?• E.g. Manipulating cookies, query parameters,
input fields…
![Page 9: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/9.jpg)
Approaches
OWASP AppSensor Project
A conceptual framework for implementing intrusion detection capabilities into existing applications
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
![Page 10: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/10.jpg)
AppSensor
42 Detection Points
Exception # Detection Points
Request 4
Authentication 11
Access Control 6
Session 4
Input 2
Encoding 2
Command Injection 4
File IO 2
User Trend 4
System Trend 3
![Page 11: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/11.jpg)
• A little unclear…
• Two recommendations• At the business layer (aka in code), preferably
using the OWASP ESAPI
• As a ‘cross-cutting concern’ in an Aspect-Oriented Programming approach (e.g. Java Filters)
AppSensor
How is it implemented?
![Page 12: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/12.jpg)
Strengths• It’s smart
• A great reference for determining malicious intent, categorizing and rating incidents
AppSensor
Strengths and Challenges
Challenges• Takes development
time
• No tools or pre-fabsolutions yet
• Project advances very slowly
![Page 13: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/13.jpg)
Approaches
The Mykonos Security Appliance
A high speed HTTP processing engine that extends Web application code with intrusion detection and response capabilities at serve time.
http://www.mykonossoftware.com
![Page 14: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/14.jpg)
The Mykonos Security Appliance
26 Detection Points
Processor # Detection Points
Authentication 4
Cookies 1
Errors 2
Files 2
Headers 7
Inputs 1
Links 3
Request Methods 3
Query Parameters 1
Spiders 2
![Page 15: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/15.jpg)
The Mykonos Security Appliance
How is it implemented?HTTP Requests and Responses
HTTP Proxy Security EngineProcessorLibrary
Profile DB
![Page 16: New Techniques in Application Intrusion Detection](https://reader034.vdocuments.site/reader034/viewer/2022050420/627133cc0b6c6a289b148e02/html5/thumbnails/16.jpg)
Strengths• It’s smart
• Code-aware w/o dev participation
• Easy to configure
The Mykonos Security Appliance
Strengths and Challenges
Challenges• Inline proxy
• Throughput and latency
• Transparency – don’t break the app!