AppSensor Guide Application-Specific Real-Time Attack Detection & Response Version 48 (Draft)



Download 11.95 Mb.
Page11/13
Date28.05.2018
Size11.95 Mb.
#51990
1   ...   5   6   7   8   9   10   11   12   13

Part V : Model Dashboards


Data visualization of real-time attack detection and response provides organizations with much needed insight into whether their applications are under attack, and by whom. This part introduces the necessary concepts for visualizing AppSensor data, and presents example application-specific dashboards that have already been created.

Chapter 27 : Security Event Management Tools

Introduction


There are many open source and commercial tools for collecting, analyzing and visualizing and exploring security event data. These support common event data formats. As discussed in Part III : Making It Happen - Chapter 15 : Verification, Deployment and Operation the many capabilities of event log management tools are not always necessary, since AppSensor data has a high-confidence level and ought to be very information rich already. However, such tools can be used to acquire and present AppSensor data.

Description


In Part III : Making It Happen - Chapter 15 : Verification, Deployment and Operation - Operation, and imaginary AppSensor was illustrated.

AppSensor logging and signaling format could be used, but most event log management tools are very flexible and even support event records comprised of simple name-value pairs.



  1. Example AppSensor Event Data Using Delimited Name-Value Pairs

Application=MyPortal|Function=View Account|Entrypoint=/c/account/view.jsp|UserSaluation=Mr|UserFamilyName=Smith|UserPersonalName=Joey|Severity=2|Confidence=100|DetectionPointID=ACE3-056|DetectionPoint=attempted to access an account belonging to someone else|ResponseAction1Code=ASR-B|ResponseAction1Description=Syslog event sent|ResponseAction2Code=ASR-C|ResponseAction2Description=Event notified to CRM (ID 509578)|ResponseAction3Code=ASR-D|ResponseAction3Description=Fraud flag set in CRM|ResponseAction4Code=ASR-I|ResponseAction4Description=Transactional functionality disabled for this user

When this data is sent using a system component supporting syslog, it can be received by security event management tools. An example of this in Splunk is illustrated in and on the following page.


  1. AppSensor Data Feed Addition to Splunk



  1. AppSensor Event Summary




  1. AppSensor Event Detail

Users of such tools can then use the in-built capabilities to render, display and visualize the AppSensor data. Other security event management tools can be used in the same manner.

See File Data Logging Format and Signaling Data Exchange Formats in Part VI : Reference for further information about integrating AppSensor data with security event management tools.

AppSensor coverage


Coverage of AppSensor event, attack and response events can be as little or as much as is imported from logging or signaling, but is dependent upon the customization options of the tool.



Download 11.95 Mb.

Share with your friends:
1   ...   5   6   7   8   9   10   11   12   13



The database is protected by copyright ©ininet.org 2024
send message
    Main page
case study
overall number
project would
software development