SlideShare una empresa de Scribd logo

WAF in scale monitoring with ModSecurity and Splunk

Descargar como PPTX, PDF
Alexey Sintsov
Alexey Sintsov

Zeronighst 2014. Defensive Track. Few words about WAF integration and support.

Software
1 de 12
WAF in scale Zeronights 0x04 Prepared by Alexey Sintsov Principal Security Engineer 14.11.2014
2 Intro . . . AWS EU SPC Engineering Attack Surface (Internet/WEB) Team Product team 1 Product team 2 Product team 3 © 2014 HERE | Security Monitoring System | SPC Engineering team AWS US Product team 3 Data Center 1 Data Center 2 - A lot of different teams - Many different data centers (even AWS) - Only few security engineers - A lot of WEB attacks…
3 Targets What we want: • We want to monitor WEB attacks, like IDS for WEB • We won’t review all script-kiddie/bot scans, we want auto confirmation and correlation • We want to be able to do fast ‘virtual’ fixes in critical situations • We want SOC to be contacted when attack is confirmed (auto mode)  We want WAF, but in monitor mode (until blocking is needed) Additional needs: • We want to deploy and configure on all (if possible) FE - all products and DataCenters • We want to control and update rules for those installations in “one way” • We want to make it “transparent” to avoid dependency on them • We do not want big performance impact on our services © 2014 HERE | Security Monitoring System | SPC Engineering team
4 Mod Security • Detection Only mode • Only SPC rules for less time CPU impact Response based alerts: 1. Attack signature 2. Response Signature • Parse response only if attack signature fired • If response signature fired -> True Positive alert! © 2014 HERE | Security Monitoring System | SPC Engineering team
SecRule REQUEST_BODY|REQUEST_URI|REQUEST_HEADERS "/+etc/+passwd“ "t:none,ctl:ResponseBodyAccess=On,msg:‘/etc/passwd request found…', phase:2,pass,nolog,auditlog,id:'950002',setvar:TX.ATTACK_ZLO=1, ctl:auditLogParts=+I,t:urlDecode,t:lowercase,severity:1“ 5 Mod Security - simple example of rule: © 2014 HERE | Security Monitoring System | SPC Engineering team … SecRule RESPONSE_BODY "root:x:0:0" "id:'950015',ctl:auditLogParts=+E, msg:'Content of /etc/passwd! (Rise incident to SOC)',phase:4, allow,nolog,auditlog,t:lowercase,severity:0"
6 Our Splunk app • Correlation, analyses (we can code that!) • Search tool (incident analyses/analytics) • Alerting Mail to 24/7 SOC Call to oncall Security Engineer (Wake up!) © 2014 HERE | Security Monitoring System | SPC Engineering team
Attacks 7 Design HERE servers Splunk server Splunk forwarder Apache - ModSecurity audit logs - SPC Rules © 2014 HERE | Security Monitoring System | SPC Engineering team index-security SPC Splunk app Search tool SPC Engineer
1 HERE Rules Apache 8 THOR Integration THOR repo … THOR: • Puppet as a service • Extensible & integration • Standard & building blocks © 2014 HERE | Security Monitoring System | SPC Engineering team HERE server Puppet agent yum install … HERE Rules Apache Mod Security Splunk forwarder Configure all… [1] http://www.netways.de/uploads/media/Pascal_Hahn_End_to_End_continuous_integration_of_deplayment-code_in_a_multi-tenant_puppet_setup.pdf
9 How it looks like for a product team • Ask for a new server with: Apache, MySQL, PHP (not real case, just example) • Customer provides Puppet recipes of desired env. (Import MySQL schema, .htaccess rules, PHP script deployment and etc)  these two steps, THOR API and framework  RPM • After deployment – our hardened server with configured Splunk, Apache and ModSecurity and customer’s application, configs. • Customer’s tests (QA), including performance/stress • If our ModSec provides not acceptable delay, than it will be found there • Ready to go! (with some minimal Security by default!) - Customer does not have to think about WAF, configuration of logs and monitoring - If (s|)he adds new server, it will be automatically configured and will be under our monitoring (in Splunk) © 2014 HERE | Security Monitoring System | SPC Engineering team
10 Support • Build server for ModSecurity rules (into RPM) • Automated unit tests for each rule • Works as expected • Not blocking normal requests • No performance impact • Version control via THOR API => If new rule needs to be distributed, new RPM with new version will be tested and built (auto. mode). Then it can be updated via THOR API to new version for specific service or for whole env. © 2014 HERE | Security Monitoring System | SPC Engineering team
11 Summary • Maximum automation: • Build new rules • Test new rules • Versioning • Auto Deploy • Auto alerting for REAL cases • Easy to investigate (evil POST requests) • Good coverage: • All Apache (nginx) services – FE, WEB, RP, PVP • No dependencies on many different teams • Most common attacks and patterns – easy to do signatures, even for 0days - If we do not use Apache/Nginx? - If performance impact is too high for the service? - If it is not a WEB attack (HeartBleed)? © 2014 HERE | Security Monitoring System | SPC Engineering team
12 THE FIN twitter.com/asintsov alexey.sintsov@here.com WEB: https://www.here.com http://company.nokia.com/en/our-businesses#here © 2014 HERE | Security Monitoring System | SPC Engineering team

Recomendados

RuSIEM IT assets
RuSIEM IT assetsRuSIEM IT assets
RuSIEM IT assetsOlesya Shelestova
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Season 3 [free OpManager training]_Part1- Discovery and classification
Season 3 [free OpManager training]_Part1- Discovery and classificationSeason 3 [free OpManager training]_Part1- Discovery and classification
Season 3 [free OpManager training]_Part1- Discovery and classificationManageEngine, Zoho Corporation
 
Solaris servers sec
Solaris servers secSolaris servers sec
Solaris servers secRaja Waseem Akhtar
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMOlesya Shelestova
 
[old] Network Performance Monitoring for DevOps and IT
[old] Network Performance Monitoring for DevOps and IT[old] Network Performance Monitoring for DevOps and IT
[old] Network Performance Monitoring for DevOps and ITSite24x7
 

Recomendados

RuSIEM IT assets
RuSIEM IT assetsRuSIEM IT assets
RuSIEM IT assetsOlesya Shelestova
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Season 3 [free OpManager training]_Part1- Discovery and classification
Season 3 [free OpManager training]_Part1- Discovery and classificationSeason 3 [free OpManager training]_Part1- Discovery and classification
Season 3 [free OpManager training]_Part1- Discovery and classificationManageEngine, Zoho Corporation
 
Solaris servers sec
Solaris servers secSolaris servers sec
Solaris servers secRaja Waseem Akhtar
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMOlesya Shelestova
 
[old] Network Performance Monitoring for DevOps and IT
[old] Network Performance Monitoring for DevOps and IT[old] Network Performance Monitoring for DevOps and IT
[old] Network Performance Monitoring for DevOps and ITSite24x7
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies sushmil123
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server Performance[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server PerformanceManageEngine, Zoho Corporation
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
BGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceBGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceGeorgi Kodinov
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentAlain Ganuchaud
 
Developers Focus on Security-Minded Tooling - Quintis Venter
Developers Focus on Security-Minded Tooling - Quintis Venter �Developers Focus on Security-Minded Tooling - Quintis Venter �
Developers Focus on Security-Minded Tooling - Quintis Venter Thoughtworks
 
2016 oSC MySQL Firewall
2016 oSC MySQL Firewall2016 oSC MySQL Firewall
2016 oSC MySQL FirewallGeorgi Kodinov
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014jcolbert0312
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Nagios En
Nagios EnNagios En
Nagios EnAleksey Trusov
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 

Más contenido relacionado

La actualidad más candente

Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies sushmil123
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server Performance[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server PerformanceManageEngine, Zoho Corporation
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
BGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceBGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceGeorgi Kodinov
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentAlain Ganuchaud
 
Developers Focus on Security-Minded Tooling - Quintis Venter
Developers Focus on Security-Minded Tooling - Quintis Venter �Developers Focus on Security-Minded Tooling - Quintis Venter �
Developers Focus on Security-Minded Tooling - Quintis Venter Thoughtworks
 
2016 oSC MySQL Firewall
2016 oSC MySQL Firewall2016 oSC MySQL Firewall
2016 oSC MySQL FirewallGeorgi Kodinov
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014jcolbert0312
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 

La actualidad más candente (20)

Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
 
[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server Performance[Season - 3 Free OpManager Training] Monitoring Server Performance
[Season - 3 Free OpManager Training] Monitoring Server Performance
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAF
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
BGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceBGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack Surface
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large Environment
 
Developers Focus on Security-Minded Tooling - Quintis Venter
Developers Focus on Security-Minded Tooling - Quintis Venter �Developers Focus on Security-Minded Tooling - Quintis Venter �
Developers Focus on Security-Minded Tooling - Quintis Venter
 
2016 oSC MySQL Firewall
2016 oSC MySQL Firewall2016 oSC MySQL Firewall
2016 oSC MySQL Firewall
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014Cypress tech talk slides september 30 2014
Cypress tech talk slides september 30 2014
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Nagios En
Nagios EnNagios En
Nagios En
 

Destacado

Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityXavier Perseguers
 

Destacado (6)

Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 

Similar a WAF in scale monitoring with ModSecurity and Splunk

Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers SoftwareDevOps Chicago
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinarAlgoSec
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
PyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPiyush Kumar
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Using Stackdriver with MongoDB
Using Stackdriver with MongoDBUsing Stackdriver with MongoDB
Using Stackdriver with MongoDBignatow
 
Simplifying Ceph Management with Virtual Storage Manager (VSM)
Simplifying Ceph Management with Virtual Storage Manager (VSM)Simplifying Ceph Management with Virtual Storage Manager (VSM)
Simplifying Ceph Management with Virtual Storage Manager (VSM)Ceph Community
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Juan Herrera Utande
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 

Similar a WAF in scale monitoring with ModSecurity and Splunk (20)

Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Apache Cloudstack QA Strategy
Apache Cloudstack QA StrategyApache Cloudstack QA Strategy
Apache Cloudstack QA Strategy
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOps
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
 
PyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPyCon India 2012: Celery Talk
PyCon India 2012: Celery Talk
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Using Stackdriver with MongoDB
Using Stackdriver with MongoDBUsing Stackdriver with MongoDB
Using Stackdriver with MongoDB
 
Simplifying Ceph Management with Virtual Storage Manager (VSM)
Simplifying Ceph Management with Virtual Storage Manager (VSM)Simplifying Ceph Management with Virtual Storage Manager (VSM)
Simplifying Ceph Management with Virtual Storage Manager (VSM)
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 

Último

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 

Último (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 

WAF in scale monitoring with ModSecurity and Splunk

  • 1. WAF in scale Zeronights 0x04 Prepared by Alexey Sintsov Principal Security Engineer 14.11.2014
  • 2. 2 Intro . . . AWS EU SPC Engineering Attack Surface (Internet/WEB) Team Product team 1 Product team 2 Product team 3 © 2014 HERE | Security Monitoring System | SPC Engineering team AWS US Product team 3 Data Center 1 Data Center 2 - A lot of different teams - Many different data centers (even AWS) - Only few security engineers - A lot of WEB attacks…
  • 3. 3 Targets What we want: • We want to monitor WEB attacks, like IDS for WEB • We won’t review all script-kiddie/bot scans, we want auto confirmation and correlation • We want to be able to do fast ‘virtual’ fixes in critical situations • We want SOC to be contacted when attack is confirmed (auto mode)  We want WAF, but in monitor mode (until blocking is needed) Additional needs: • We want to deploy and configure on all (if possible) FE - all products and DataCenters • We want to control and update rules for those installations in “one way” • We want to make it “transparent” to avoid dependency on them • We do not want big performance impact on our services © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 4. 4 Mod Security • Detection Only mode • Only SPC rules for less time CPU impact Response based alerts: 1. Attack signature 2. Response Signature • Parse response only if attack signature fired • If response signature fired -> True Positive alert! © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 5. SecRule REQUEST_BODY|REQUEST_URI|REQUEST_HEADERS "/+etc/+passwd“ "t:none,ctl:ResponseBodyAccess=On,msg:‘/etc/passwd request found…', phase:2,pass,nolog,auditlog,id:'950002',setvar:TX.ATTACK_ZLO=1, ctl:auditLogParts=+I,t:urlDecode,t:lowercase,severity:1“ 5 Mod Security - simple example of rule: © 2014 HERE | Security Monitoring System | SPC Engineering team … SecRule RESPONSE_BODY "root:x:0:0" "id:'950015',ctl:auditLogParts=+E, msg:'Content of /etc/passwd! (Rise incident to SOC)',phase:4, allow,nolog,auditlog,t:lowercase,severity:0"
  • 6. 6 Our Splunk app • Correlation, analyses (we can code that!) • Search tool (incident analyses/analytics) • Alerting Mail to 24/7 SOC Call to oncall Security Engineer (Wake up!) © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 7. Attacks 7 Design HERE servers Splunk server Splunk forwarder Apache - ModSecurity audit logs - SPC Rules © 2014 HERE | Security Monitoring System | SPC Engineering team index-security SPC Splunk app Search tool SPC Engineer
  • 8. 1 HERE Rules Apache 8 THOR Integration THOR repo … THOR: • Puppet as a service • Extensible & integration • Standard & building blocks © 2014 HERE | Security Monitoring System | SPC Engineering team HERE server Puppet agent yum install … HERE Rules Apache Mod Security Splunk forwarder Configure all… [1] http://www.netways.de/uploads/media/Pascal_Hahn_End_to_End_continuous_integration_of_deplayment-code_in_a_multi-tenant_puppet_setup.pdf
  • 9. 9 How it looks like for a product team • Ask for a new server with: Apache, MySQL, PHP (not real case, just example) • Customer provides Puppet recipes of desired env. (Import MySQL schema, .htaccess rules, PHP script deployment and etc)  these two steps, THOR API and framework  RPM • After deployment – our hardened server with configured Splunk, Apache and ModSecurity and customer’s application, configs. • Customer’s tests (QA), including performance/stress • If our ModSec provides not acceptable delay, than it will be found there • Ready to go! (with some minimal Security by default!) - Customer does not have to think about WAF, configuration of logs and monitoring - If (s|)he adds new server, it will be automatically configured and will be under our monitoring (in Splunk) © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 10. 10 Support • Build server for ModSecurity rules (into RPM) • Automated unit tests for each rule • Works as expected • Not blocking normal requests • No performance impact • Version control via THOR API => If new rule needs to be distributed, new RPM with new version will be tested and built (auto. mode). Then it can be updated via THOR API to new version for specific service or for whole env. © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 11. 11 Summary • Maximum automation: • Build new rules • Test new rules • Versioning • Auto Deploy • Auto alerting for REAL cases • Easy to investigate (evil POST requests) • Good coverage: • All Apache (nginx) services – FE, WEB, RP, PVP • No dependencies on many different teams • Most common attacks and patterns – easy to do signatures, even for 0days - If we do not use Apache/Nginx? - If performance impact is too high for the service? - If it is not a WEB attack (HeartBleed)? © 2014 HERE | Security Monitoring System | SPC Engineering team
  • 12. 12 THE FIN twitter.com/asintsov alexey.sintsov@here.com WEB: https://www.here.com http://company.nokia.com/en/our-businesses#here © 2014 HERE | Security Monitoring System | SPC Engineering team