Thursday, May 21, 2009

AppSensor Response to Log Monitoring

As you may have noticed from the AppSensor project and the recent OWASP EU presentation, I'm not a big believer in manual log analysis to detect and block malicious activity. Here's my response to a recent article on Dark Reading recommending log analysis.

The article:
Tippett: Use Application Logs To Catch Data Breaches

My response:

There are several major barriers to utilizing logs to prevent data breaches.
1. Most systems are not properly configured to capture all of the required information to detect an attack.
2. Humans are required to manually review log data. This either requires a large number of skilled humans to monitor logs or requires automation which loses the benefit of human interpretation. In addition, the number of log entries generated by an application can grow to incredible numbers very quickly making it difficult to quickly identify malicious patterns.
3. Even if the log data is complete and the analyzers notice the events, they must detect the attacker and stop them before they are successful. As the article points out, it often takes an attacker less than 1 hour.

Recognizing this as a substantial challenge, the Open Web Application Security Project (OWASP) is developing guidance for a solution named AppSensor. Instead of attempting to solve this problem with log analysis, let’s move into the application and detect the attackers there. By utilizing detection points with low false positive rates, it is possible to detect attackers probing for weaknesses in the application. The detection mechanism ties into a response agent which can automatically lock an account after the user is deemed malicious. This approach requires no human analysis or intervention. Attackers are automatically identified and blocked.

The AppSensor approach greatly differs from traditional WAF or network based IDS devices because it is actually built into the application itself. This approach allows the detection agent to understand attacks against business logic and access control – areas traditionally ignored by products.

Everything at OWASP is free and open. Check out AppSensor if this sounds interesting.
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
-Michael Coates