Post on 14-Sep-2014
description
Tom D’Aquino, Sr. SIEM Engineer
HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION
AGENDA
Todays Threat Landscape: Realities & Implications
Web Application Attacks: What are they and what harm can they bring?
Threat detection through correlation of NIDS, HIDS and IP Reputation
AlienVault Unified Security Management (USM) at a glance
Demo environment details
Live Demo of USM
Data collection and correlation from a Network IDS to detect web application attacks
Leveraging the OSSEC HIDS agent to monitor web server logs for web application attacks
More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.
The number of organizations experiencing high profile breaches is unprecedented ~ SMB increasingly become the target.
THREAT LANDSCAPE: OUR NEW REALITY
Despite the
BILLIONSspent every year on IT security
>80% of organizations EXPECT to be breached every year.
~ Gartner 2012
In 2012 (and we expect this to rise in 2013 and into 2014), 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them.
THREAT LANDSCAPE: WEB APPLICATION ATTACKS
XSS attacks give attackers the ability to inject malicious code into websites they do not own
SQL Injection attacks allow attackers to extract information from a website such as sensitive user information or user credentials
XSS or Cross Site Scripting and SQL Injection are common methods of attacking web applications.
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS
XSS attacks typically require some kind of web form that allows users to post content to the website such as:
Comment forms on blog sites
Forums, message boards, etc.
XSS attacks are easy to carry out using tools like the Browser Explotation Framework (BeEF): http://beefproject.com/
XSS attacks are typically used to compromise a user’s local system and install malware or to impersonate a user on some other website through cookie hijacking.
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED)
Once the script is inserted into the web page, it is automatically executed by the victim’s web browser when the web page is loaded.
THREAT LANDSCAPE: SQL INJECTION ATTACKS
User account information, i.e. email addresses and passwordsStored credit card dataSystem configuration details
SQL Injection attacks are commonly used to extract sensitive information from web applications. Examples include:
THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED)
There are SQL Injection tricks that the hackers can use to find your interesting data such as viewing all of the tables in the database:
THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION
Network IDS is embedded in our platform, giving you the ability to detect network level attacks including identifying malicious web requests sent to your web server.
Network IDS signatures are updated frequently to keep you on the front lines of advanced detection
THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION
With Host IDS, you can monitor the logs of your IIS or Apache web server for indications of XSS and SQL Injection attacks.
Web server log monitoring
File integrity checking
Operating system logging
Centralized management
THE ALIENVAULT USM SOLUTION: IP REPUTATIONTracking activity from attackers around the world allows AlienVault USM to alert you when known bad actors are hitting your web site.
Automatically correlates known attackers with malicious activity detected from both the network and host intrusion detection systems
Figure out what is valuable
Identify ways the target could be compromised
Start looking for threats
Look for strange activity which could
indicate a threat
Piece it all together
AssetDiscovery
VulnerabilityAssessment
ThreatDetection
BehavioralMonitoring
SecurityIntelligence
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
Security Intelligence• SIEM Correlation• Incident Response
UNIFIED SECURITY MANAGEMENT
“Security Intelligence through Integration that we do, NOT you”
USM Platform• Bundled Products - 30 Open-Source Security tools to plug
the gaps in your existing controls• USM Framework - Configure, Manage, & Run Security
Tools. Visualize output and run reports
• USM Extension API - Support for inclusion of any other data source into the USM Framework
• Open Threat Exchange –Provides threat intelligence for collaborative defense
DEMO NETWORK DETAILS
The demo environment that we are testing in today contains the following:
NON-DEFAULT CONFIGURATION
Apache access.log monitoring is not a default behavior of the AlienVault HIDS agent
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a live Demo
http
://www.alienvault.com/marketing/alienvault-u
sm-live-
demo
Questions? hello@alienvault.com
VIEW ON-DEMAND VIDEO
To view a recorded version of this
webcast On-Demand CLICK HERE