Wednesday, June 13, 2007

Security Application Instrumentation

Last year I mentioned ModSecurity in relation to a book by its author. As mentioned on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project Web site, "ModSecurity is an open source web application firewall that runs as an Apache module." In a sense Apache is both defending itself and reporting on attacks against itself. I consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se features to be forms of security application instrumentation. In a related development, today I learned about PHPIDS:

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-art security layer for your PHP based web application. The IDS neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacking attempt. This could range from simple logging to sending out an emergency mail to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development team, displaying a warning message for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker or even ending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user’s session.

This sort of functionality needs to be built into every application. It is not sufficient (reasons to follow) but it is required.

We used to (and still do) talk about hosts defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. I agree that hosts should be able to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, but that does not mean we should abandon network-level defenses (as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misguided Jericho Forum advocates).

Today we need to talk about applications defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are under attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to tell us, and when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are abused, subverted, or breached cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would ideally also tell us.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future (now would be nice, but not practical yet) we'll need data to defend itself. That's a nice idea but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation isn't ready yet (or even fully conceptualized, I would argue).

Returning to applications: why is it necessary for an application to detect and prevent attacks against itself? Increasingly it is too difficult for third parties (think network infrastructure) to understand what applications are doing. If it's tough for inspection and prevention systems it's even tougher for humans. The best people to understand what's happening to an application are (presumably) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who wrote it. (If an application's creator can't even understand what he/she developed, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a sign not to deploy it!) Developers must share that knowledge via mechanisms that report on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application, but in a security-minded manner that goes beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mainly performance and fault monitoring of today.

(Remember monitoring usually develops first for performance, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n fault, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n security, and finally compliance.)

So why isn't security application instrumentation sufficient? The problem is one should not place one's trust entirely in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target. One of Marcus Ranum's best pieces of wisdom for me was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 distinction between "trusted" and "trustworthy." Just because you trust an application doesn't make it worthy of that trust. Just because you have no alternative but to "trust" an application doesn't make it trustworthy eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Trustworthy systems behave in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manner you expect and can be validated by systems outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 influence of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target.

For most of my career my mechanism for determining whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r systems are trustworthy has been network sensors. That's why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y sit at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of my TaoSecurity Enterprise Trust Pyramid. In a host- and application-centric world I might consider a second system with one-way direct memory access to a target to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most trusted source of information on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target, followed by a host reporting its own memory, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r mechanisms including application state, logs, etc.

You can't entirely trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target because it can be compromised and told to lie. Of course all elements of my trust pyramid (or any trust pyramid) can be compromised but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 degree of difficulty (should) increase as isolation from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target is achieved.

I'll end this post with a plea to developers. Right now you're being taught (hopefully) "secure coding." I would like to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next innovation be security application instrumentation, where you devise your application to report not only performance and fault logging, but also security and compliance logging. Ideally cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application will be self-defending as well, perhaps offering less vulnerability exposure as attacks increase (being aware of DoS conditions of course).

Eventually we should all be wearing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LogLogic banner at right, because security will be more about analyzing and acting on instrumented applications and data and less about inspecting a security product's interpretation of attacks.

I am not trying to revoke my Response to Bruce Schneier Wired Story. SAI doesn't mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry. I saw in this story that Bruce Schneier is still on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r planet:

In a lunch presentation, security expert Bruce Schneier of BT Counterpane also predicted a sea change. "Long term, I don't really see a need for a separate security market," he said, calling for greater integration of security technology into everyday hardware, software, and services.

"You don't buy a car and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n go buy anti-lock brakes from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company that developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m," Schneier quipped. "The safety features are bought and built in by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company that makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 car." Major companies such as Microsoft and Cisco are paving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way for this approach by building more and more security features directly into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products, he noted.

"That doesn't mean that security becomes less important or that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re won't be innovation," Schneier said. "But in 10 years, I don't think we'll be going to conferences like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, that focus only on security. Those issues will be handled as part of broader discussions of business and technology."


Schneier needs to study more history. I'll be at Black Hat or its equivalent in ten years, and he'll probably be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re as anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r keynote!

Pete Lindstrom reminds me of my post that says car analogies fail unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security concern is caused by an intelligent adversary. Inertia is not an intelligent adversary with certain threat advantages.

One final note on adversaries: first cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y DoS'd us (violating availability). Now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're stealing from us (violating confidentiality). When will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y start modifying our data in ways that benefit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in financial and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ways (violating integrity)? We will not be able to stop all of it and we will need our applications and data to help tell us what is happening.


Incidentally, since I'm on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject of logs I wanted to briefly say why I usually disagree with people who use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "Tcpdump logs" or "Pcap logs." If you're storing full content network traffic, you are not "logging." You are collecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual data that was transferred on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire. That is collection, not logging. If I copy and store every fax that's sent to a department, I'm not logging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 faxes -- I am collecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. A log would say:

1819 Wed 13 Jun 07 FAX RMB to ARB 3 pgs

or similar. In this session session data could be considered logging, since sessions are records of conversations and not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual conversations.

That said, logs are great because a single good log message can be more informative than a ton of content. For example, I would much racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r read a log that says file X was transferred via SMB from user RMB to user ARB, etc., than try to interpret cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMB traffic manually.

8 comments:

Anonymous said...

This is a very important point, I added some thoughts around IT security and developers need to catch up to where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Anasazis were several hundred years ago

http://1raindrop.typepad.com/1_raindrop/2007/06/building_coordi.html

"Security Design Patterns" by Blakley and Heath is an excellent (and free) guide to a number of important patterns for building security into your system with examples from Java, J2EE and CORBA systems

http://www.opengroup.org/bookstore/catalog/g031.htm

dre said...

Cigital posted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir blog about SOA and its relation to network engineering.

There are a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r APIPS products as I mentioned in gunnar's blog post follow-up above.

Anonymous said...

Agreed- log collection and analysis is a very import part of monitoring and investigation practices. However, please use anything besides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Loglogic product. It's a steaming pile of...unhappiness. ;-)

Anonymous said...

Why is it that discussion of de-perimeterisation often puts forward cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 notion that hosts that are able to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves as part of a layered defense can disregard ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r traditional layers?

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, edge, endpoint, or network security offers little in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way of providing information-centric security.

De-perimiterisation would require a layered defense that starts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host and works out to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to determine where sensitive data may be released to. The last line of defense when constructing trust zones or channels becomes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall which prevents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of sensitive data out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise by working in conjunction with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trusted host servers to enforce policy and trust statements.

Thus, de-perimeterisation would seem to require an inside-out approach as opposed to outside-in that exists today.

Ironically,cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Group has categorically thrown out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possible use of scalable multi-level security (which is what we do), based on traditional barriers of cost and complexity, and which would enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goals of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organization to be realized.

Anonymous said...

informative posting.

greetings from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Philippine Instrumentation and Control Society!

Anonymous said...

I know I'm a little late reading this article. But it is definately an issue I see all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time. Most developers, even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know how to program securely, don't know how to properly log security related events. I blame this partially on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logging toolkits we use. We have different logging levels such as DEBUG, WARN, INFO, etc. So if a developer was going to log a security event it will more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n likely get mixed in with non-security events; making it more difficult to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se types of events.

I think one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best articles I've read recently is about logging:
http://www.securityfocus.com/infocus/1888

If developers used a framework such as what is described in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article - we might actually start seeing logs that are actually useful from a security perspective.

Richard Bejtlich said...

Jeremy -- great post. I used to work with Nish at Foundstone. His new company is Security Compass. It would be good if he blogged!

Anonymous said...
This comment has been removed by a blog administrator.