Scribd
Upload
4 views

Webcast 97585

Uploaded by

Tran Minh Tuan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Webcast 97585

Uploaded by

Tran Minh Tuan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

HOW TO DETECT SQL INJECTION & XSS ATTACKS

USING SIEM EVENT CORRELATION


Tom D’Aquino, Sr. SIEM Engineer
AGENDA
Todays Threat Landscape: Realities & Implications
Web Application Attacks: What are they and what harm can they bring?
Threat detection through correlation of NIDS, HIDS and IP Reputation
AlienVault Unified Security Management (USM) at a glance
Demo environment details
Live Demo of USM
 Data collection and correlation from a Network IDS to detect web application attacks
 Leveraging the OSSEC HIDS agent to monitor web server logs for web application
attacks
THREAT LANDSCAPE: OUR NEW REALITY
More and more organizations are finding
themselves in the crosshairs of various bad actors
for a variety of reasons.

The number of organizations experiencing high


profile breaches is unprecedented ~ SMB
increasingly become the target.

In 2012 (and we expect this to rise in 2013 and into 2014),


50% of all targeted attacks were aimed at businesses with
fewer than 2,500 employees. In fact, the largest growth
area for targeted attacks in 2013 was businesses with fewer
than 250 employees; 31% of all attacks targeted them.
THREAT LANDSCAPE: WEB APPLICATION ATTACKS
XSS or Cross Site Scripting and SQL Injection are common methods of attacking web
applications.

XSS attacks give attackers the ability to inject


malicious code into websites they do not
own

SQL Injection attacks allow attackers to


extract information from a website such as
sensitive user information or user
credentials
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS
XSS attacks are typically used to compromise a user’s local system and install
malware or to impersonate a user on some other website through cookie hijacking.

XSS attacks typically require some kind of


web form that allows users to post content
to the website such as:
Comment forms on blog sites
Forums, message boards, etc.
XSS attacks are easy to carry out using tools
like the Browser Explotation Framework
(BeEF): http://beefproject.com/
THREAT LANDSCAPE: CROSS SITE SCRIPTING ATTACKS (CONTINUED)

Once the script is inserted into the web page, it is automatically executed by the
victim’s web browser when the web page is loaded.
THREAT LANDSCAPE: SQL INJECTION ATTACKS
SQL Injection attacks are commonly used to extract sensitive information from web
applications. Examples include:
User account information, i.e. email
addresses and passwords
Stored credit card data
System configuration details
THREAT LANDSCAPE: SQL INJECTION ATTACKS (CONTINUED)

There are SQL Injection tricks that the hackers can use to find your interesting data
such as viewing all of the tables in the database:
THE ALIENVAULT USM SOLUTION: NETWORK INTRUSION DETECTION
Network IDS is embedded in our platform, giving you the ability to detect network level
attacks including identifying malicious web requests sent to your web server.

Network IDS signatures are


updated frequently to keep you
on the front lines of advanced
detection
THE ALIENVAULT USM SOLUTION: HOST INTRUSION DETECTION
With Host IDS, you can monitor the
logs of your IIS or Apache web server
for indications of XSS and SQL Injection
attacks.

Web server log monitoring


File integrity checking
Operating system logging
Centralized management
THE ALIENVAULT USM SOLUTION: IP REPUTATION
Tracking activity from attackers around the world allows AlienVault USM to alert you when
known bad actors are hitting your web site.

Automatically
correlates known
attackers with
malicious activity
detected from both
the network and host
intrusion detection
systems
Security
Piece it all
Asset Discovery
Intelligence
together • Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory

Vulnerability Assessment
Look for strange • Network Vulnerability Testing
Behavioral Figure out what
Asset
activity which could is valuable
Monitoring
indicate a threat Discovery Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring

Behavioral Monitoring
• Log Collection
• Netflow Analysis
Threat
Start looking Identify ways the
Vulnerability • Service Availability Monitoring
Detection
for threats target could be
Assessment
compromised Security Intelligence
• SIEM Correlation
• Incident Response
UNIFIED SECURITY MANAGEMENT
“Security Intelligence through Integration that we do, NOT you”

USM Platform • USM Extension API - Support for inclusion of any other
• Bundled Products - 30 Open-Source Security tools to plug data source into the USM Framework
the gaps in your existing controls • Open Threat Exchange –Provides threat intelligence for
• USM Framework - Configure, Manage, & Run Security collaborative defense
Tools. Visualize output and run reports
DEMO NETWORK DETAILS
The demo environment that we are testing in today contains
the following:
NON-DEFAULT CONFIGURATION
Apache access.log monitoring is not a default behavior of the
AlienVault HIDS agent
NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault


Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a live Demo
http://www.alienvault.com/marketing/alienvault-usm-
live-demo

Questions? [email protected]

You might also like