SlideShare ist ein Scribd-Unternehmen logo

Graphing for Security Monitoring

M
mr_secure

Short presentation on how graphing tools can be leveraged for security usages.

Technologie
1 von 43
Downloaden Sie, um offline zu lesen
Graphing for Security Ben Allen @mr_secure
whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
Structural Overview
Data Sources
Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
Framework Integration
Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
Dashboard Ideas
Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
one metric – many systems
Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
Server Errors Dashboard
Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
Questions
References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
Miscellany
Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
Grafana Tips ● Use annotations – Esp. code releases, change windows

Empfohlen

Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbBb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbMatthew Saltzman
 
Training Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsTraining Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsOutSystems
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basicsBlueinfy Solutions
 
SNP Effect viewing and Graphing
SNP Effect viewing and GraphingSNP Effect viewing and Graphing
SNP Effect viewing and GraphingHIRA Zaidi
 
Cause and effect graphic organizer
Cause and effect graphic organizerCause and effect graphic organizer
Cause and effect graphic organizersglar226
 
Cause & Effect
Cause & EffectCause & Effect
Cause & Effectrodriguez_c
 
Cause effect graphing technique
Cause effect graphing techniqueCause effect graphing technique
Cause effect graphing techniqueAnkush Kumar
 

Empfohlen

Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbBb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bbMatthew Saltzman
 
Training Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsTraining Webinar: Detect Performance Bottlenecks of Applications
Training Webinar: Detect Performance Bottlenecks of ApplicationsOutSystems
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basicsBlueinfy Solutions
 
SNP Effect viewing and Graphing
SNP Effect viewing and GraphingSNP Effect viewing and Graphing
SNP Effect viewing and GraphingHIRA Zaidi
 
Cause and effect graphic organizer
Cause and effect graphic organizerCause and effect graphic organizer
Cause and effect graphic organizersglar226
 
Cause & Effect
Cause & EffectCause & Effect
Cause & Effectrodriguez_c
 
Cause effect graphing technique
Cause effect graphing techniqueCause effect graphing technique
Cause effect graphing techniqueAnkush Kumar
 
Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideParis Salesforce Developer Group
 
QSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load RunnerQSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load RunnerQspiders - Software Testing Training Institute
 
Resolving problems & high availability
Resolving problems & high availabilityResolving problems & high availability
Resolving problems & high availabilityZend by Rogue Wave Software
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
Software Performance
Software Performance Software Performance
Software Performance Prabhanshu Saraswat
 
Holistic Approach To Monitoring
Holistic Approach To MonitoringHolistic Approach To Monitoring
Holistic Approach To MonitoringMelanie Cey
 
Performance Testing Overview
Performance Testing OverviewPerformance Testing Overview
Performance Testing OverviewJames Venetsanakos
 
10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public CloudIntuit Inc.
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performanceEngine Yard
 
Performance Testing
Performance TestingPerformance Testing
Performance TestingAnu Shaji
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!Richard Robinson
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance ManagementNoriaki Tatsumi
 
Application Performance Tuning Techniques
Application Performance Tuning TechniquesApplication Performance Tuning Techniques
Application Performance Tuning TechniquesRam Nagesh
 
Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructureharendra_pathak
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio ProfilerBetclic Everest Group Tech Team
 
Web Performance Optimization (WPO)
Web Performance Optimization (WPO)Web Performance Optimization (WPO)
Web Performance Optimization (WPO)Betclic Everest Group Tech Team
 
Performance eng prakash.sahu
Performance eng prakash.sahuPerformance eng prakash.sahu
Performance eng prakash.sahuDr. Prakash Sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16AppDynamics
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesScott Hoag
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 

Weitere ähnliche Inhalte

Ähnlich wie Graphing for Security Monitoring

CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
Holistic Approach To Monitoring
Holistic Approach To MonitoringHolistic Approach To Monitoring
Holistic Approach To MonitoringMelanie Cey
 
10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public CloudIntuit Inc.
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performanceEngine Yard
 
Performance Testing
Performance TestingPerformance Testing
Performance TestingAnu Shaji
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!Richard Robinson
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance ManagementNoriaki Tatsumi
 
Application Performance Tuning Techniques
Application Performance Tuning TechniquesApplication Performance Tuning Techniques
Application Performance Tuning TechniquesRam Nagesh
 
Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructureharendra_pathak
 
Performance eng prakash.sahu
Performance eng prakash.sahuPerformance eng prakash.sahu
Performance eng prakash.sahuDr. Prakash Sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16AppDynamics
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesScott Hoag
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 

Ähnlich wie Graphing for Security Monitoring (20)

Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
 
QSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load RunnerQSpiders - Installation and Brief Dose of Load Runner
QSpiders - Installation and Brief Dose of Load Runner
 
Resolving problems & high availability
Resolving problems & high availabilityResolving problems & high availability
Resolving problems & high availability
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
 
Software Performance
Software Performance Software Performance
Software Performance
 
Holistic Approach To Monitoring
Holistic Approach To MonitoringHolistic Approach To Monitoring
Holistic Approach To Monitoring
 
Performance Testing Overview
Performance Testing OverviewPerformance Testing Overview
Performance Testing Overview
 
10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud10 Tips for Your Journey to the Public Cloud
10 Tips for Your Journey to the Public Cloud
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performance
 
Performance Testing
Performance TestingPerformance Testing
Performance Testing
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance Management
 
Application Performance Tuning Techniques
Application Performance Tuning TechniquesApplication Performance Tuning Techniques
Application Performance Tuning Techniques
 
Architectures, Frameworks and Infrastructure
Architectures, Frameworks and InfrastructureArchitectures, Frameworks and Infrastructure
Architectures, Frameworks and Infrastructure
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
Web Performance Optimization (WPO)
Web Performance Optimization (WPO)Web Performance Optimization (WPO)
Web Performance Optimization (WPO)
 
Performance eng prakash.sahu
Performance eng prakash.sahuPerformance eng prakash.sahu
Performance eng prakash.sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
 
SPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst PracticesSPSNYC SharePoint Worst Practices
SPSNYC SharePoint Worst Practices
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 

Kürzlich hochgeladen

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Kürzlich hochgeladen (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Graphing for Security Monitoring

  • 1. Graphing for Security Ben Allen @mr_secure
  • 2. whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
  • 3. Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
  • 6. Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
  • 7. Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
  • 8. Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
  • 9. Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
  • 10. Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
  • 12. Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
  • 13. Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
  • 14. Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
  • 15. Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
  • 16. Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
  • 17. Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
  • 19. Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
  • 20. Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
  • 21. one metric – many systems
  • 22. Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
  • 23. Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
  • 24. Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
  • 25. Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
  • 26. Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
  • 27. Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
  • 28. Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
  • 30. Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
  • 31. Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
  • 32. Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
  • 33. Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
  • 34. Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
  • 35. Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
  • 36. Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
  • 37. Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
  • 39. References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
  • 41. Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
  • 42. Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
  • 43. Grafana Tips ● Use annotations – Esp. code releases, change windows