We all understand the need to get application security right, but how do you tell if someone is attempting to break or abuse your application? This session will discuss how your security operations team might look at this, and the challenges presented when your CISO asks those questions.
Boost Fertility New Invention Ups Success Rates.pdf
Getting the most from Application Security in your SOC by Leigh Collett
1. Getting the most from
Application Security in your SOC
Leigh Collett
leigh@isc2-chapter.cz
2
www.isc2-chapter.cz
2. 3
» AIM
• Understand what application security
monitoring means to the SOC
• Provide some insight into how security
monitoring can be incorporated into
application development
3. 4
» What does the SOC Monitor?
• Classically:
• Anti-Virus
• Firewalls
• IDS/IPS/WAF
• Operating Systems
• Databases
Infrastructure Monitoring
4. 5
» How is it tied together?
• Normalisation
• Correlation
IDS Event
• Attack
signature
Vulnerability
Correlation
• Confirmed
Vulnerable
Raise Alert
OS
Authorisation
Event
• Successful
Attack Alert
5. 6
» What does the SOC Monitor?
• Now:
Does it mention security in
it’s Marketing……
or
Our business depends
on…..
6. 7
» The SOC Challenge
• Hundreds of tools telling us
“There is a problem”
• Resources
• Process bound
• Automation
• No clear “risk” directive
7. 8
» Turning Risks into Monitoring
• Need to clearly identify the risk
-Loss of (personal) data
-Loss of assets (cash/physical goods)
-Privileged User/Insider abuse
-Service outage/abuse
-…..
-…..
-…..
-Brand damage
• Need to identify how the risk is seen
8. 9
» RISK:
• “I need to know if data leaks”
(Privileged User/Insider abuse)
» HOW:
• Database Activity Monitors (DAM)
• Data Loss Prevention (DLP)
• Web server logs
• Application logs……?
» QUALIFICATION:
• What is normal!
• Exclude backup users
9. 10
» RISK:
• “Application features can be abused”
(Service Outage/Abuse)
• Example, uploading of a valid file
hundreds of times
» HOW:
- Database Activity Monitors (DAM)
- Web server logs
- Application logs……?
» QUALIFICATION:
• What is normal!
• Clients versus agents
10. 11
»Application Security Monitoring
• Monitoring application activities against
defined scenarios
• Combined with monitoring the underlying
infrastructure
-OS
-Web
-Database
11. 12
» How can you help?
• Consider how your application can be
abused when you start, in cooperation
with information governance
• Track application transactions with the
data needed
• Track in a separate location
• Choose a sensible format
13. 14
» Take Aways
• Consider how your application can be abused
• Create appropriate transaction logs
• Create scenarios that should be stopped, with how
your logs can be used to do that
• TALK TO YOUR SOC AS EARLY AS POSSIBLE!