SlideShare a Scribd company logo

Graphing for Security

M
mr_secure

This document discusses integrating metrics collection and graphing into application frameworks to provide security-focused dashboards. It outlines collecting data from operating systems, services, frameworks and applications. Integration would make measurements frictionless for developers. Suggested dashboards focus on system health, application behaviors and errant behaviors to identify security issues. Metrics can detect problems like long queries, errors and abnormal page loads.

Technology
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Graphing for Security Ben Allen @mr_secure
whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
Structural Overview
Data Sources
Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
Framework Integration
Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
Dashboard Ideas
Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
one metric – many systems
Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
Server Errors Dashboard
Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
Questions
References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
Miscellany
Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
Grafana Tips ● Use annotations – Esp. code releases, change windows

More Related Content

PPTX
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Matthew Saltzman
 
PPTX
Training Webinar: Detect Performance Bottlenecks of Applications
OutSystems
 
ODP
Lets exploit Injection and XSS
lethalduck
 
PPT
SQL injection basics
Blueinfy Solutions
 
PPTX
SNP Effect viewing and Graphing
HIRA Zaidi
 
DOCX
Cause and effect graphic organizer
sglar226
 
PPTX
Cause & Effect
rodriguez_c
 
PDF
Cause effect graphing technique
Ankush Kumar
 
Bb world2014 powerpoint_security-automation-at-blackboard_saltzman_matthew_bb
Matthew Saltzman
 
Training Webinar: Detect Performance Bottlenecks of Applications
OutSystems
 
Lets exploit Injection and XSS
lethalduck
 
SQL injection basics
Blueinfy Solutions
 
SNP Effect viewing and Graphing
HIRA Zaidi
 
Cause and effect graphic organizer
sglar226
 
Cause & Effect
rodriguez_c
 
Cause effect graphing technique
Ankush Kumar
 

Similar to Graphing for Security (20)

PDF
Salesforce Performance hacks - Client Side
Paris Salesforce Developer Group
 
PPTX
QSpiders - Installation and Brief Dose of Load Runner
Qspiders - Software Testing Training Institute
 
PPTX
Resolving problems & high availability
Zend by Rogue Wave Software
 
PDF
CIRCUIT 2015 - Monitoring AEM
ICF CIRCUIT
 
PPT
Software Performance
Prabhanshu Saraswat
 
PPTX
Holistic Approach To Monitoring
Melanie Cey
 
PPT
Performance Testing Overview
James Venetsanakos
 
PPTX
10 Tips for Your Journey to the Public Cloud
Intuit Inc.
 
PDF
6 tips for improving ruby performance
Engine Yard
 
PPTX
Performance Testing
Anu Shaji
 
PPTX
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
Richard Robinson
 
PPTX
Application Performance Management
Noriaki Tatsumi
 
PPTX
Application Performance Tuning Techniques
Ram Nagesh
 
PPTX
Architectures, Frameworks and Infrastructure
harendra_pathak
 
PDF
Visual Studio Profiler
Betclic Everest Group Tech Team
 
PDF
Web Performance Optimization (WPO)
Betclic Everest Group Tech Team
 
PPTX
Performance eng prakash.sahu
Dr. Prakash Sahu
 
PDF
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
PPTX
SPSNYC SharePoint Worst Practices
Scott Hoag
 
PPTX
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Salesforce Performance hacks - Client Side
Paris Salesforce Developer Group
 
QSpiders - Installation and Brief Dose of Load Runner
Qspiders - Software Testing Training Institute
 
Resolving problems & high availability
Zend by Rogue Wave Software
 
CIRCUIT 2015 - Monitoring AEM
ICF CIRCUIT
 
Software Performance
Prabhanshu Saraswat
 
Holistic Approach To Monitoring
Melanie Cey
 
Performance Testing Overview
James Venetsanakos
 
10 Tips for Your Journey to the Public Cloud
Intuit Inc.
 
6 tips for improving ruby performance
Engine Yard
 
Performance Testing
Anu Shaji
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
Richard Robinson
 
Application Performance Management
Noriaki Tatsumi
 
Application Performance Tuning Techniques
Ram Nagesh
 
Architectures, Frameworks and Infrastructure
harendra_pathak
 
Visual Studio Profiler
Betclic Everest Group Tech Team
 
Web Performance Optimization (WPO)
Betclic Everest Group Tech Team
 
Performance eng prakash.sahu
Dr. Prakash Sahu
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
SPSNYC SharePoint Worst Practices
Scott Hoag
 
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Ad

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Teaching material agriculture food technology
LiaRayya
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Ad

Graphing for Security

  • 1. Graphing for Security Ben Allen @mr_secure
  • 2. whoami ● Architecture & Operations Engineer – SANS Institute 1+ years ● Security Architect / Analyst – University of Minnesota 10+ years ● Application Developer – SANS Institute 5+ years, contractor
  • 3. Outline ● Background / Fast Forward ● Data Sources ● Framework Integration ● Dashboard Ideas ● Questions
  • 6. Data Sources ● Conceptually 4 levels – OS, Service, Framework, Application
  • 7. Data Sources ● OS - collectd – All: CPU, memory, disk & network I/O – Selected: counts of important processes ● httpd processes on web server ● mysqld threads on DB server
  • 8. Data Sources ● Service – custom scripts / graphite; collectd – MySQL: thread states, users, query stats – Apache: log analysis, server-status – Mail Bounce Processor: queue depth
  • 9. Data Sources ● Framework – integrate statsd client library – eg. Kohana, Rails, Django, Symfony – Hook into event, logging systems – Performance counters: ● page generation time / memory use / cache hit % – Details per app, controller (warning), function (danger!!) – Use framework introspection to construct part of metric path ● framework.datacenter.server.application.controller. total_time ● ^---- this part is auto generated -------------------^ . developer- provided
  • 10. Data Sources ● Application – Leverage framework integration – Frictionless for developers - POLA – Business metrics ● statsd::increment(“sales.$widget.$color”, $price); – Behavior metrics ● Login success / failure; account lockout ● Input validation success / failure ● Trap page access
  • 12. Framework Integration ● Target: make measurements frictionless for developers – Example frameworks: Kohana, Django, Rails, Symfony ● Look & act like other framework components – Seamless integration – Include in “baseline” installation for framework – Share externally ● POLA – Principle of Least Astonishment – Minimize / eliminate the learning curve
  • 13. Framework Integration ● Request processing sequence – Framework bootstrap – Request analysis / routing – Execution – Shutdown – Exceptions ● Hooks
  • 14. Framework Integration ● Use existing configuration mechanism – Configure just like any other framework module ● Hook into event mechanism – Logging events - Display events – Error events - Exception handler ● Utilize existing internal data – Memory usage - Timing data
  • 15. Framework Integration ● Extend helper routines – Logging (gather count by log level) – Validators (email address, number, name, ip address, safe string) – Authentication (success, fail, account lockout) – Authorization (action not permitted)
  • 16. Framework Integration ● Auto-generate base part of metric name ● Use framework introspection & configuration – framework.datacenter.server.application.controller. total_time – ^---- this part is auto generated -------------------^ . developer-provided – eg. metrics::timing('total_time', $totalTime);
  • 17. Framework Integration ● Starting Point – Errors: 403, 404, 500 – Execution times: controller & total – Memory Usage – Logging events ● Requires no application changes ● Generates useful information
  • 19. Dashboards Ideas ● Focusing on SECURITY mindset ● System & Application Health – Know your baseline – vs. 7 days ago – is there a pattern? – Web server health ● process states; memory & CPU usage ● disk & network I/O – DB server health ● memory & CPU usage, long queries, I/O
  • 20. Dashboard Ideas ● Find what works for your team – Mix breadth & depth ● One metric across many systems / services – eg. memory or CPU usage; web server status ● Many (all) metrics for one system – eg. page load times, CPU, I/O, db conns, etc.
  • 21. one metric – many systems
  • 22. Security Dashboards 2 Classes: ● Application Behaviors – Custom per application – Related to application logic, intent ● Errant Behaviors – More generic – Can support multiple applications – Integrate at framework to make them automatic ● Note: intent requires human interpretation, logs
  • 23. Security Dashboards Application Behavior ● Login failures (count, percent) ● Business transactions – DoS attack vs. successful marketing – Registration deadline
  • 24. Security Dashboards Application Behavior ● Transaction failures – CC declined – Non-existent domain for email address ● Access forbidden – User trying to access parts of app beyond their authorization – Forced browsing vs. exposed link
  • 25. Security Dashboards Application Behavior ● Trap fields populated – Unused, empty form field with tempting name – Not displayed to users – Will be filled in by automated scanner / spam bot – eg. “subject” ● CAPTCHA failures
  • 26. Security Dashboards Errant Behaviors ● Long running SQL Queries – pages with poorly written queries – SQLi causing abnormal queries to be executed – WAITFOR / DELAY / BENCHMARK ● Blind SQLi ● Concept holds for any external data source – Service / API call; LDAP query; etc.
  • 27. Long Running Queries ● Note the same behavior from 7 days ago – Yellow line
  • 28. Security Dashboards Errant Behaviors ● Server Errors – HTTP 5xx – Internal application failures should not be part of a normally operating application – Configuration error – License expiration – Unchecked input -> malformed internal command ● Attacker probing for command injection flaws
  • 30. Security Dashboards Errant Behaviors ● Input Validation Errors – Application scanners tend to cause sharp rise – Generate as part of framework integration – Check for empty inputs too (application dependent)
  • 31. Security Dashboards Errant Behaviors ● Page Load Times – Also a Key UX / Performance Indicator – Back end slowness (DB, internal services) – Injection attacks (SQLi, command injection) – Insufficient resources (too many requests to handle) – Fruitful data to identify measurement gaps ● What is not measured, but impacts page performance?
  • 32. Security Dashboards Errant Behaviors ● Page Load Times (ctd.) – What level of detail? ● App / Controller / Method / View / Model – Scanning activity can cause collection DoS ● Create whisper db file for every new 404 error? – Aggregation rules can help here ● eg. aggregate all 404 metrics by application
  • 33. Page Load Times ● Slowest 5 applications in one framework ● Based on upper 90th percentile of page generation time highestMax(groupByNode(framework.datacenter.*.*.*.*.total_execution.upper_90,4,"maxSeries"), 5)
  • 34. Security Dashboards Errant Behaviors ● Web Server Response Codes – Per site / application / server – Group codes into buckets ● 1xx, 2xx, 3xx, 4xx, 5xx ● 0-399, 400+ – Percentage balance should be fairly stable ● eg. small % 4xx; no 5xx
  • 35. Web Server Error Percentages alias(summarize(sumSeries(apache2.*.*.*.*.status.{4??,5??}.count), '$window', 'sum', false), 'error 4xx 5xx') alias(summarize(sumSeries(apache2.*.*.*.*.status.{2??,3??}.count), '$window', 'sum', false), 'success 2xx 3xx')
  • 36. Security Dashboards Errant Behaviors ● Web Server Response Codes – Typo in link (404) ● eg. bulk mailer auto-corrects part of URL – Page removed but still referenced (404) – Scan for known vulnerable software (404) ● eg. /wp-admin – Injection attacks (500)
  • 37. Summary ● Magnify benefits by minimizing cost to generate / use metrics ● Establish a baseline ● Pay attention to what's going wrong too ● Measure across full vertical range – Bits in/out – Business transactions completed ● Create & instrument misuse detectors – Trap fields, spider trap URLs
  • 39. References / Links ● POLA - http://en.wikipedia.org/wiki/Principle_of_least_astonishment ● Form Trap Fields - https://isc.sans.edu/forums/diary/Form+Spam+Increasing+the+Attackers+work+function/1836/ ● Spider Trap URL - http://en.wikipedia.org/wiki/Spider_trap
  • 41. Grafana Tips ● Shared Crosshair – Dashboard Settings > Features > Shared Crosshair (Ctrl +O) – Ease time correlation on multi-graph dashboards ● Templating Variables – Dashboard Settings > Features > Templating – Set a standard practice for variable names – POLA – server, site, action, etc.
  • 42. Grafana Tips ● Summarization window – Templating > Variables > Add > Interval – Include auto interval = 200 – summarize($window, max, false) in metrics – Can provide hint to graphite for which rank of data to read from whisper file ● Tooltip: all series, individual – Graph > Display Styles – see all values at point in time
  • 43. Grafana Tips ● Use annotations – Esp. code releases, change windows