AppSensor Guide Application-Specific Real-Time Attack Detection & Response Version 48 (Draft)


Chapter 25 : Using an External Log Management System



Download 11.95 Mb.
Page9/13
Date28.05.2018
Size11.95 Mb.
#51990
1   ...   5   6   7   8   9   10   11   12   13

Chapter 25 : Using an External Log Management System

Introduction


An external log management system can be used to aggregate event data and generate some types of responses such as alerts or network changes. An organization with a large number of applications that already has some form of Security Information and Event Management (SIEM) or other Continuous Security Monitoring (CSM) may benefit from this type of approach.

This demonstration implementation does not form part of the core development efforts within the OWASP AppSensor Project.


Description


Detection points are added into each application’s source code like a standard AppSensor implementation. But information from the detection points are sent to an external log aggregation and event management system. The external system is responsible for determining the attack and initiating responses.

Events collected by detection points are sent to a centralized system using Common Event Format123 (CEF) over syslog protocol.



  1. Schematic Arrangement of Example External Log Management System


AppSensor scope


Any detection points capable of being added to the application(s) and elsewhere could provide event data to the external system.

Although potentially any response is possible, assume the signaling is one-way from the application(s) to the external system,. Then the most likely responses supportable via the network are:



  1. List of Response Categories Possibly Available to an External Log/Event Management System

Category

Response

Type

Description

Code

Description

None

No response

ASR-P

No Response

Silent

User unaware of application's response

ASR-A

Logging Change

ASR-B

Administrator Notification

ASR-C

Other Notification

Active

Application functionality reduced for user(s)

ASR-L

Application Disabled

Of these, administrator notification is the most common (and not necessarily the most effective use of AppSensor capabilities).

Source code


No source code is available.

Implementation


This method still requires the addition of detection points to application code, which is application dependent. All other conceptual elements are undertaken external to the application(s).

An example message structure is shown on the next page. This utilizes predefined and custom key-value pairs in the extension part of CEF:



  • User agents string

  • Application detection point identifier

  • AppSensor detection point category

  • HTTP status code

  • Request ID (a unique identifier for each application request)

  • Local log identifier

  • Degree of confidence (in the example 100%).

  1. Example Use of Common Event Format for Event Signaling

src=10.25.102.65

suser=W0005

proto=TCP

dpt=80


proc=httpd

request=/catalogue/showProduct/

requestMethod=GET

deviceExternalID=AppSensor06

msg=Cross site scripting attempt in parameter prodid

cat=detection

act=block

cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.17) Gecko/20110420

cs2Label=AppSensorSensorID cs2=R03

cs3Label=AppSensorDetectionType cs3=IE1

cs4Label=StatusCode cs4=403

cn1Label=RequestID cn1=000070825566

cn2Label=AppSensorLogID cn2=1650833

cn3Label=Confidence cn3=100




Considerations


This method may not be completely “real time” nor provide feedback information for the application(s) to adapt to the attack. See also Chapter 18 : AppSensor and Application Event Logging for a discussion about generic application event logging.

AppSensor data might simply be used to enhance attack and threat intelligence for fraud detection or advanced persistent threat identification.


Related implementations


Similar logging ideas could be implemented using the open source OSSEC or many commercial log management systems.
Existing security monitoring systems should always be considered as a recipient of AppSensor data, regardless of where the event analysis and event management is being undertaken. Signaling AppSensor event and attack data to an event monitoring system adds valuable information to an organization’s threat and attack knowledge.
Dinis Cruz has suggested that Google Analytics could be utilized to perform this type of externalized data collection and analysis, but with limited ability for response. In some systems, GA may be one of the few destinations that internal applications have been allowed to communicate to.


Download 11.95 Mb.

Share with your friends:
1   ...   5   6   7   8   9   10   11   12   13




The database is protected by copyright ©ininet.org 2024
send message

    Main page