Seeing the Invisible

In our last article we discussed feedback loops and taking a defensive thinking approach. We identified three key areas to gain feedback in your stack that aligns security and DevOps. They are:

  • Application Security Feedback
  • Logging and Auditing Feedback
  • Usage Feedback

In this article we are breaking down these areas.

[n.b. To get the full context of this article, please read part 1 first >]

Application Security Feedback

It’s hard to think about modern approaches to delivering services without thinking about delivering them over the web. With the rise of Microservices and the decoupled architecture patterns therein, you find an even higher dependence on web-based REST APIs. Now most systems as we think about them are really collections of loosely coupled applications delivered over the web. This hasn’t been an abrupt transition as we have been undergoing this shift over the last 20 years. But, even with a long history of using the web, we have a dearth of mechanisms for detecting security problems in real-time.

Many organizations implemented Web Application Firewalls (WAFs) a decade ago however rarely did anyone operationalize them. Most were put in place for compliance adherence, namely PCI, and were generally put in listening mode with no defensive posture. However, in the last ten years we have continued to see common web application security vectors get compromised and OWASP continues to issue similar guidance year-over-year in the OWASP Top Ten.

There are two main feedback loops to implement in application security: divergent patterns and known attacks. Divergent patterns or signals are seen in traffic that perhaps attempts to access resources that don’t exist or spikes in traffic from uncommon sources. Known attacks are common OWASP Top Ten items like XSS or Injection attacks. Feedback loops in both areas bring visibility to an otherwise neglected aspects of our systems.

Logging and Auditing Feedback

In modern cloud architectures there is a higher dependence on the cloud provider for security. This has moved the attack landscape from physical networks to configuration and cloud settings. This makes logging and auditing even more crucial because it’s able to alert on changes in your infrastructure as well as provide a record of events.

They see me rolling with my Geiger Counter…

Providers like Amazon Web Services (AWS) will provide a centralized logging service, for AWS it’s called CloudTrail, that logs all changes to every single configuration in your cloud architecture. On the hosts, auditd monitors all system commands run on the hosts. Combining these two vectors of logging and auditing provides a clearer picture to changes happening throughout the environment.

Usage Feedback

One of the more useful feedback loops is tied to customer usage. Are you experiencing a higher volume of logins? What about password changes? Have you seen more accounts created in the last hour than is normal? These are all subjective questions that are specific to your current business state. More than likely some of these metrics are already being tracked within your organization but they are not visible throughout.

the “world’s smallest geiger counter” brings the instrumentation to the user action level

When combined with application security feedback, these metrics become more powerful. Often these will give clues to how successful the attacks are. If there is a spike in XSS attacks, it is a more powerful metric when correlated with the number of password change requests. Instrumenting the common flows for users in your system and tying them with application security feedback can bring tremendous value to all sides: dev, ops, security and most importantly, the business.

Thanks for reading this article. If you enjoyed it please let us know by clicking that little heart below.

At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Signal Sciences works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.