Top Banner
Tom D’Aquino, Sr. SIEM Engineer HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION
17

How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

Sep 14, 2014

Download

Technology

Two of the oldest and most common attacks used against web applications, SQL injection attacks and cross-site scripting attacks (XSS), continue to impact thousands of websites and millions of users each year. Finding these exposures quickly is essential in order to prevent system compromise and avoid information leakage. SIEM solutions can be invaluable in this effort by collecting and correlating the data you need to identify patterns that signal an attack.

Join AlienVault for this session to learn:

*What data you need to collect to identify the warning signs of an attack
*How to use event correlation to detect cross-site scripting (XSS) and SQL Injection attacks
*How to identify impacted assets so you can quickly limit the damage

You'll come away from the session with a clear picture of how to use SIEM technology to prevent these attacks.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

Tom D’Aquino, Sr. SIEM Engineer

HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION

Page 2: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

AGENDA

Todays Threat Landscape: Realities & Implications

Web Application Attacks: What are they and what harm can they bring?

Threat detection through correlation of NIDS, HIDS and IP Reputation

AlienVault Unified Security Management (USM) at a glance

Demo environment details

Live Demo of USM

Data collection and correlation from a Network IDS to detect web application attacks

Leveraging the OSSEC HIDS agent to monitor web server logs for web application attacks

Page 3: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.

The number of organizations experiencing high profile breaches is unprecedented ~ SMB increasingly become the target.

THREAT LANDSCAPE: OUR NEW REALITY

Despite the

BILLIONSspent every year on IT security

>80% of organizations EXPECT to be breached every year.

~ Gartner 2012

In 2012 (and we expect this to rise in 2013 and into 2014), 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them.

Page 4: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THREAT LANDSCAPE: WEB APPLICATION ATTACKS

XSS attacks give attackers the ability to inject malicious code into websites they do not own

SQL Injection attacks allow attackers to extract information from a website such as sensitive user information or user credentials

XSS or Cross Site Scripting and SQL Injection are common methods of attacking web applications.

Page 5: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS

XSS attacks typically require some kind of web form that allows users to post content to the website such as:

Comment forms on blog sites

Forums, message boards, etc.

XSS attacks are easy to carry out using tools like the Browser Explotation Framework (BeEF): http://beefproject.com/

XSS attacks are typically used to compromise a user’s local system and install malware or to impersonate a user on some other website through cookie hijacking.

Page 6: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED)

Once the script is inserted into the web page, it is automatically executed by the victim’s web browser when the web page is loaded.

Page 7: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THREAT LANDSCAPE: SQL INJECTION ATTACKS

User account information, i.e. email addresses and passwordsStored credit card dataSystem configuration details

SQL Injection attacks are commonly used to extract sensitive information from web applications. Examples include:

Page 8: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED)

There are SQL Injection tricks that the hackers can use to find your interesting data such as viewing all of the tables in the database:

Page 9: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION

Network IDS is embedded in our platform, giving you the ability to detect network level attacks including identifying malicious web requests sent to your web server.

Network IDS signatures are updated frequently to keep you on the front lines of advanced detection

Page 10: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION

With Host IDS, you can monitor the logs of your IIS or Apache web server for indications of XSS and SQL Injection attacks.

Web server log monitoring

File integrity checking

Operating system logging

Centralized management

Page 11: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

THE ALIENVAULT USM SOLUTION: IP REPUTATIONTracking activity from attackers around the world allows AlienVault USM to alert you when known bad actors are hitting your web site.

Automatically correlates known attackers with malicious activity detected from both the network and host intrusion detection systems

Page 12: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

Figure out what is valuable

Identify ways the target could be compromised

Start looking for threats

Look for strange activity which could

indicate a threat

Piece it all together

AssetDiscovery

VulnerabilityAssessment

ThreatDetection

BehavioralMonitoring

SecurityIntelligence

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

Page 13: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

UNIFIED SECURITY MANAGEMENT

“Security Intelligence through Integration that we do, NOT you”

USM Platform• Bundled Products - 30 Open-Source Security tools to plug

the gaps in your existing controls• USM Framework - Configure, Manage, & Run Security

Tools. Visualize output and run reports

• USM Extension API - Support for inclusion of any other data source into the USM Framework

• Open Threat Exchange –Provides threat intelligence for collaborative defense

Page 14: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

DEMO NETWORK DETAILS

The demo environment that we are testing in today contains the following:

Page 15: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

NON-DEFAULT CONFIGURATION

Apache access.log monitoring is not a default behavior of the AlienVault HIDS agent

Page 16: How to Detect SQL Injections & XSS Attacks Using SIEM Event Correlation

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a live Demo

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Questions? [email protected]