Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solutions

From: Rich Mogull <rmogull-dd () securosis com>
Date: Thu, 1 Jul 2010 13:52:34 -0700
Conceptually I started seeing pieces of this pop up back when first looking at Database Activity Monitoring 
technologies. Over time, I think that we are architecturally headed to something I've been calling "Application and 
Database Monitoring and Protection". It's the combination of a string of technologies that run from the browser to the 
DB, coordinated centrally with security analysis. I started a blog series on it a while back, but got distracted with 
paying projects and never finished writing it up.

So it's a combination of what you describe, but some other pieces:

1. Browser session virtualization and instrumentation, with some defensive technologies. Kind of like Trusteer is doing.
2. Tie that up to a gateway similar to an SSL-VPN. Health checks and stronger authentication options. Gives you much 
tighter control of what's in a particular browser session, but not overly effective if you don't get process separation 
for the session a la Chrome.
3. WAF for some basic blocking and outside the web server monitoring. If all connections are routed through the gateway 
first, the WAF would probably be integrated into the gateway. Different than using a WAF how they are generally 
deployed today- more a tool for instrumentation/monitoring.
4. More instrumentation in the web app server, and web app anti-exploitation (mod, the RTE stuff Fortify is just 
starting to play with that no one is buying).
5. Database activity monitoring deployed in inline mode with active blocking. Most effective is the Secerno-style 
whitelisting, but the Imperva/Guardium approaches also help.
6. Something to tie all this crap together.

All these bits and pieces are out there, many deployed in limited ways, but they haven't been tied together well. 
Imperva and Secerno (acquired by Oracle, and via an F5 partnership) are heading down the WAF + DAM route to better 
knock out malicious SQL. Trusteer is doing the browser to gateway stuff, and there are a few custom app-level 
instrumentation projects like you describe. 

But pulling all this together is damn expensive and hard, and it's effectively science fiction for now. But I think 
we'll get there in 5 years or so. And in a lot of ways it's just really complex whitelisting, due to the signal to 
noise problems you point out. These baby steps are adding automated enforcement to the mining...



On Jun 25, 2010, at 1:52 PM, dave wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So when I gave the FIRST talk, one of the questions was "What is the solution?" which
when people ask that usually has a slight overtone of "It's easy to knock the blocks
down, but not to set them up!" to it.

Here's what I see:

The major problem with 90's era technology (i.e. scanners/sniffers!) is that they are
in a very high noise/low signal environment. This is as true for static code
analysers as it is for IDSs and Web Application Firewalls.

Immunity sees lots of success (and has for many years) with organizations that have
done high level instrumentations against their applications, and then used powerful
data mining tools to look at that data.

But with all Things That Really Work (tm), there are many traps:
1. Analysis is mind bogglingly expensive. It takes lots of time, you never know if
you're going to find something useful, and the people and tools to do it are
expensive. Palantir is just one example of how hard this problem is in general, but
even just having the DISK SPACE to do it on is prohibitive.

2. Choosing what to instrument is extremely hard as well. There's some work being
done on this:
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

3. Visualization is hard - security visualization often is great once you already
have found something (i.e. "Here it is in a pretty graph"). If you haven't already
found something, visualization is a hard thing to make "exploratory". Especially with
lots of data.

___________________________________________________________________________________

So what you see is the start up of what I like to call the "Application SOC". It's
like a network SOC, but way more expensive, and with the chance of being actually
useful! :>

I'll go more into this whole thing when El Jefe goes into Beta, but for now, who has
gotten caught by something like this?

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkwlFwcACgkQtehAhL0gheqOvgCePCS/kIQtKIhj6jPm5yjC+axm
340AmwS1Fxj+QFm9+hZiTIoZ2dDrj083
=ULVq
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: