Data visualization of real-time attack detection and response provides organizations with much needed insight into whether their applications are under attack, and by whom. This part introduces the necessary concepts for visualizing AppSensor data, and presents example application-specific dashboards that have already been created.
Chapter 27 : Security Event Management Tools Introduction
There are many open source and commercial tools for collecting, analyzing and visualizing and exploring security event data. These support common event data formats. As discussed in Part III : Making It Happen - Chapter 15 : Verification, Deployment and Operation the many capabilities of event log management tools are not always necessary, since AppSensor data has a high-confidence level and ought to be very information rich already. However, such tools can be used to acquire and present AppSensor data.
Description
In Part III : Making It Happen - Chapter 15 : Verification, Deployment and Operation - Operation, and imaginary AppSensor was illustrated.
AppSensor logging and signaling format could be used, but most event log management tools are very flexible and even support event records comprised of simple name-value pairs.
Example AppSensor Event Data Using Delimited Name-Value Pairs
Application=MyPortal|Function=View Account|Entrypoint=/c/account/view.jsp|UserSaluation=Mr|UserFamilyName=Smith|UserPersonalName=Joey|Severity=2|Confidence=100|DetectionPointID=ACE3-056|DetectionPoint=attempted to access an account belonging to someone else|ResponseAction1Code=ASR-B|ResponseAction1Description=Syslog event sent|ResponseAction2Code=ASR-C|ResponseAction2Description=Event notified to CRM (ID 509578)|ResponseAction3Code=ASR-D|ResponseAction3Description=Fraud flag set in CRM|ResponseAction4Code=ASR-I|ResponseAction4Description=Transactional functionality disabled for this user
|
When this data is sent using a system component supporting syslog, it can be received by security event management tools. An example of this in Splunk is illustrated in and on the following page.
AppSensor Data Feed Addition to Splunk
AppSensor Event Summary
AppSensor Event Detail
Users of such tools can then use the in-built capabilities to render, display and visualize the AppSensor data. Other security event management tools can be used in the same manner.
See File Data Logging Format and Signaling Data Exchange Formats in Part VI : Reference for further information about integrating AppSensor data with security event management tools.
AppSensor coverage
Coverage of AppSensor event, attack and response events can be as little or as much as is imported from logging or signaling, but is dependent upon the customization options of the tool.
Share with your friends: |