Filed under: IIS & HTTP
Despite our best preventive efforts and proactive measures, practices, and training, security breaches still happen. It is just a fact of life today. The most prepared CISOs could quickly handle a breach if they knew when it was going to occur. But there is no spidey sense that will tingle when a hacker makes his way into your database, or alarm that will sound when a user’s session is hijacked and unauthorized permissions are obtained. But certain activities can help you notice unusual and potentially dangerous activities happening around your web assets. They include:
- Configuring alerts
- Using reporting tools
- Monitoring your app
These activities are vital for effectively dealing with an incident. Alerts (via email, SMS, etc.) offer the application and site owners a way to know that they are under attack. It’s as if the app is shouting “Help! Something is wrong!” And regular use of reports gives site owners a way monitor normal usage on the site and quickly recognize unusual activity. But the benefits do not end there.
Knowing is half the battle. Alerting and reporting tools help shed light on what’s really happening behind the scenes. Without insight into the day-to-day, or receiving alerts when something has gone wrong, you’re really just working in the blind. Is it rational to expect operations are running smoothly simply because nothing has blown up or you haven’t received an angry call/email from a customer complaining?
Relying solely on alerts is playing offense. But a good defense helps you to spot potential issues before they get out of hand.
2. Timely Response
Timing is everything with web application incident response. By quickly responding to an incident, you reduce the amount of time during which damage can be done. It also allows your team move faster to find out what went wrong, and how to remedy it. Email and SMS alerts allow everyone (or key staff) to know when something is up. An once you’re made aware that an incident occurred, you can get into the logs and see what happened. With the right tool, you can temporarily block an IP while you look into the legitimacy of the threat. Fast recognition and a quick response time can be the difference between a major breach and a minor mitigated attack.
Observing trends is a useful way to know the status quo for activity on your site. Observing these trends on a regular basis provides a point of reference for gauging the seriousness of any changes. If you never view a report or monitor activity, you’d have no idea if twenty SQL inject attempts in a day were normal or completely out of the ordinary.
Trends also help you understand the types of threats of most concern to your particular site. For example, if you’re seeing an irregular number of errors on a particular page or form, you could spend extra time securing that page or form’s security. If you have a web application firewall protecting it, then you can check and update your rules. And if you’re using third party tools, you can check to make sure they are free of security vulnerabilities a hacker could be attempting to exploit.
Once you’ve got a handle on normal activity trends, anomalies are easier to identify. Here’s a scenario: you suddenly start seeing thousands of 404s on URLs that never existed on your site, when you typically see a handful a day. You’ve got an anomaly on your hands. It is quite likely that someone is trying to rattle doorknobs on your site. What are you going to do about it?
Spotting anomalies in your web application is similar to how your bank monitors your credit or debit card for fraudulent activity. Trends of normal use are created in both situations. When a severe deviation from the trend takes place, it can be reasonably inferred that something worth investigating has occurred. In the case of credit cards, the bank will typically temporarily freeze the account until it is verified that the cardholder is indeed responsible for the suspect transactions. For a web app, one obviously cannot take down the site to investigate, but the suspect user(s) can be temporarily blocked until an investigation takes place.
Now that you know the ways reporting can help you ratchet up security, we’d like to share some ways to maximize the return on investment (ROI) using ServerDefender VP.
ServerDefender VP and Alerting, Monitoring, and Reporting
We built our web application firewall to keep users apprised of all the events taking place on their web application. Alerting was (of course) an essential part of this, and it is a component we use on our own web properties.
We set alert criteria through ServerDefender VP’s alert configuration panel. Here, parameters can be set to establish what types of events will trigger alerts. Alerts can be sent via email, SNMP, Windows Event Log, or Syslog-NG.
When an alert is sent, we receive a nicely formatted email with all the details of the event that took place on the site. From within this message, we have the ability to temporarily block an offending IP address. This buys us some time to go into the logs and investigate the incident.
Daily email reports provide a high-level view of what’s happening on monitored sites. This method of reporting is insightful for observing trends and offers a more hands-off approach. Busy system administrators like this feature to stay aware of the security stats on their sites.
Wondering how these reports would look with your site’s data? We offer free 30 day trials of SDVP to give it a spin.
Want to show your team how these reports could help your organization? Give SDVP a try, on us, for 30 days.No Comments »