new techniques in application intrusion detection al huizenga, mykonos product manager may 2010
TRANSCRIPT
![Page 1: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/1.jpg)
New Techniques in Application Intrusion DetectionAl Huizenga, Mykonos Product ManagerMay 2010
![Page 2: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/2.jpg)
Today
• Who am I?• Director of Product Management, Mykonos• 11 years experience marketing Web-based products
and technologies• Canadian. Eh.
• The Agenda• The problem of Web application abuse• Current options• Application intrusion detection and response• AppSensor vs. Mykonos Security Appliance
![Page 3: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/3.jpg)
The Problem
The Cost of Web Application Abuse
Fraud! Defacement!
Identify Theft!
Loss of business!
Brand damage!
Economic Growth!
![Page 4: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/4.jpg)
How Big is the Problem?
Big, and Getting Bigger
•$4.0B in Fraud (2008 Cybersource)
•$50B in Identity Theft (2009 FTC)
•$16B Credit Card Fraud (2008 Mercator Advisory Group)
•$204 - Cost of Data Breachper Customer Record(Ponemon Institute 2009)
•$1T - Global Cost of Cyber Crime(McAfee 2008)
![Page 5: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/5.jpg)
The Challenge
How to Secure Legacy Apps from Abuse
Fix It.
Firewall It.
![Page 6: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/6.jpg)
The Anatomy of a Web Attack
Phase 1Silent Introspection
Phase 2Attack Vector Establishment
Phase 3Attack Implementation
Phase 4AttackAutomation
Phase 5Maintenance
WAFs play here.
![Page 7: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/7.jpg)
Early Detection
What about all the requests before an attack is delivered?
Malicious activity detected
Attack vector established
Number of Requests
![Page 8: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/8.jpg)
Is there another way?
Add Security Logic to the App
• Can you extend legacy apps to detect malicious activity from within the app itself, before a user is able to identify and exploit a vulnerability?• E.g. Manipulating cookies, query parameters,
input fields…
![Page 9: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/9.jpg)
Approaches
OWASP AppSensor Project
A conceptual framework for implementing intrusion detection capabilities into existing applications
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
![Page 10: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/10.jpg)
AppSensor
42 Detection PointsException # Detection PointsRequest 4Authentication 11Access Control 6Session 4Input 2Encoding 2Command Injection 4File IO 2User Trend 4System Trend 3
![Page 11: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/11.jpg)
• A little unclear…• Two recommendations• At the business layer (aka in code), preferably
using the OWASP ESAPI• As a ‘cross-cutting concern’ in an Aspect-Oriented
Programming approach (e.g. Java Filters)
AppSensor
How is it implemented?
![Page 12: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/12.jpg)
Strengths• It’s smart• A great reference for
determining malicious intent, categorizing and rating incidents
AppSensor
Strengths and Challenges
Challenges• Takes development
time• No tools or pre-fab
solutions yet• Project advances very
slowly
![Page 13: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/13.jpg)
Approaches
The Mykonos Security Appliance
A high speed HTTP processing engine that extends Web application code with intrusion detection and response capabilities at serve time.
http://www.mykonossoftware.com
![Page 14: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/14.jpg)
The Mykonos Security Appliance
26 Detection PointsProcessor # Detection PointsAuthentication 4Cookies 1Errors 2Files 2Headers 7Inputs 1Links 3Request Methods 3Query Parameters 1Spiders 2
![Page 15: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/15.jpg)
The Mykonos Security Appliance
How is it implemented?HTTP Requests and Responses
HTTP Proxy Security EngineProcessor Library
Profile DB
![Page 16: New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010](https://reader035.vdocuments.mx/reader035/viewer/2022062804/5697bf891a28abf838c89cec/html5/thumbnails/16.jpg)
Strengths• It’s smart• Code-aware w/o dev
participation• Easy to configure
The Mykonos Security Appliance
Strengths and Challenges
Challenges• Inline proxy• Throughput and latency• Transparency – don’t break
the app!