Más contenido relacionado La actualidad más candente (20) Similar a Leveling the playing field (20) Leveling the playing field17. Problems
• We don’t know what people are doing
• We don’t know how often they are doing it
• We don’t know how effective we are
• We are don’t have enough resources to keep up
18. Goals
• Reduce noise
• Generate better signal
• Reduce operational overhead
• Build better business cases
• Spend energy on the really important stuff
21. Tie up the loose ends
with static configuration
22. Static configuration checklist
At least a B+ rating on SSL Labs*
Reject extensions that you don’t want to accept
Reject known bad user agents
Reject specific known bad actors
Custom error pages that fit your application
Basic secure headers
24. It has a fringe benefit of
creating better
awareness
44. The goal is to accept an
event and return
consumable details
45. type logEntry struct {
Address string
Method string
Uri string
ResponseCode string
}
func processEntry(entry string) logEntry {
parts := strings.Split(entry, " ")
event := logEntry{
Address: parts[0],
Method: strings.Replace(parts[5], """, "", 1),
Uri: parts[6],
ResponseCode: parts[8],
}
return event;
}
49. Track everything!
• HTTP Method
• Time since last request/average requests per sec
• Failed responses
• Failure of intended action (e.g. login, add credit card, edit, etc)
• Anything noteworthy
50. type Actor struct {
Methods map[string]int
FailedLogins int
FailedResponses map[string]int
}
func updateEvents(event logEntry, counts *map[string]Actor) {
counts[event.Address].Methods[event.Method] += 1
if event.ResponseCode != "200" || event.ResponseCode != "302" {
counts[event.Address].FailedResponses[ResponseCode] += 1
}
if event.Method == "POST" && event.ResponseCode == "200" {
counts[event.Address].FailedLogins += 1
}
}
56. You can start with simple
thresholds
• Too many failed logins
• Too many bad response codes (4xx, 5xx)
• Request volume too high
61. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000]
"POST /login HTTP/1.1" 200 267"-" "Mozilla/
5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/
20100101 Firefox/8.0" "77.77.165.233"
62. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
63. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
64. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
66. As you dig in, you will
find many patterns like
these
71. You will have to build more
intelligent processing to
understand them
74. Is it a harmless request
or an account takeover?
78. Once you have enough
information to make a
decision, you must act
87. “Of course machines can't think as
people do. A machine is different from
a person. Hence, they think differently.”
-- Alan Turing, The Imitation Game
100. There are three main ideas
• The thing that acts on actors
• The shared cache
• The event processors
102. Fast in a web request is
single digit milliseconds
103. You can choose to embed
this in your applications
or your web servers
115. Things to consider
• False positives
• Decision latency
• Incorrect modeling
• Bad data
• Monitoring
122. Run all your models
through it when you make
even a single change
126. This type of automation
deserves every monitor
and metric you can get