In my previous post (Explaining Dynamic Profiling - Part I), I wrote about the issues with the existing White/Black list security model. In this post I'll explain the key components for an ideal security solution:
Self Learning Capabilities
A typical Web (HTTP, HTTPS) and SQL profile includes thousands of URLs and SQL queries. Each URL includes several parameters with different constraints. Each SQL query has different properties, such as which users and IP addresses are allowed to invoke the query.
For obvious reasons, it is impossible to manually configure and maintain so many URLs and SQLs, each with its own unique properties and constraints.
The security solution must include robust and comprehensive self-learning capabilities so that the profiles can be built automatically. As Web applications are very dynamic--with new URLs and SQL queries added and changed on a daily basis--the solution must also include sophisticated capabilities that automatically maintain up-to-date profiles at any given moment.
What's Entailed
1. Dynamic profiling comprises receiving enterprise application events (processed by network sensors or agents) and analyzing the enterprise application events.
2. The method further comprises generating an adaptive normal behavior profile (NBP) wherein the adaptive NBP inclludes at least a plurality of profile items (and each of the profile items comprises a plurality of profile properties).
3. The method must also be able to perform statistical analysis to determine if the adaptive profile is in a "stable state."
Profiling
Application data security solutions require a comprehensive model of acceptable application usage. This model includes:
1. For Web environments, the security solution must know which URLs are authorized for each specific application, which parameters are authorized for each URL, and the constraints on each parameter. When attackers try to alter parameters or send unauthorized URLs, the solution must be able to detect and analyze it.
2. The solution must also trace cookies to make sure that users are not manually altering cookies or adding unauthorized cookies.
3. The profile must also be extended to the SQL traffic.
4. The database is the most sensitive and critical asset of the Web application. The solution must analyze database traffic and make sure that attackers are not trying to generate unauthorized or malicious database input or output.
Accuracy
A practical solution must be accurate. False positives would generate unnecessary alarms that might prevent legitimate users from performing their tasks, while also adding burden on the operations and security teams. At the same time, the solution must not put the organization at risk by softening the security requirement and reducing the rate of false positive by creating a different (and more dangerous) problem of introducing false negatives.
The following diagram illustrates the relationship between accuracy (false positive and false negative) and the policy methods used.
In the next post, I'll (try to) explain how this is all working in the real life.
Leave a comment