Blog

Monitoring up the Stack: App Monitoring, Part 2

By Gunnar

In the last post on application monitoring, we looked at why applications are an essential “context provider” and interesting data source for SIEM/Log Management analysis. In this post, we’ll examine how to get started with the application monitoring process, and how to integrate that data into your existing SIEM/Log Management environment.

Getting Started with Application Monitoring

As with any new IT effort, its important to remember that it’s People, Process and Technology – in that order. If your organization has a Build Security in software security regime in place, then you can leverage those resources and tools for building visibility in. If not, application monitoring provides a good entree into the software security process, so here are some basics to get started with Application Monitoring.

Application Monitors can be deployed as off the shelf products (like WAFs), and they can be delivered as custom code. However they are delivered, the design of the Application Monitor must address these issues:

  • Location: Where application monitors may be deployed; what subjects, objects, and events are to be monitored.
  • Audit Log Messages: How the Audit Log Observers collect and report events; these messages must be useful to the human(!) analysts who use them for incident response, event, management and compliance.
  • Publishing: The way the Audit Log Observer publishes data to a SIEM/Log Manager must be robust and implement secure messaging to provide the analyst with high-quality data to review, and to avoid creating YAV (Yet Another Vulnerability).
  • Systems Management: Making sure the monitoring system itself is working and can respond to faults.

Process

The process of integrating your application monitoring data into the SIEM/Log Management platform has two parts. First identify where and what type of Application Monitor to deploy. Similar to the discovery activity required for any data security initiative, you need to figure out what needs to be monitored before you can do anything else. Second, select the way to communicate from the Application Monitor to the SIEM/Log Management platform. This involves tackling data formats and protocols, especially for homegrown applications where the communication infrastructure may not exist.

The most useful Application Monitor provides a source of event data not available elsewhere. Identify key interfaces to high priority assets such as message queues, mainframes, directories, and databases. For those interfaces, the Application Monitor should give visibility into the message exchanges to and from the interfaces, session data, and the relevant metadata and policy information that guides its use. For applications that pass user content, the interception of messages and files provides the visibility you need. In terms of form factor for Application Monitor deployment (in specialized hardware, in the application itself, or in an Access Manager), performance and manageability are key aspects, but less important than what subjects, objects, and events the Application Monitor can access to collect and verify data.

Typically the customer of the Application Monitor is a security incident responder, an auditor, or other operations staff. The Application Monitor domain model described below provides guidance on how to communicate in a way that enables this customer to rely on the information found in the log in a timely way.

Application Monitor Domain Model

The Application Monitor model is fairly simple to understand. The core parts of the Application Monitor include:

  • Observer: A component that listens for events
  • Event Model: Describes the set of events the Observer listens for, such as Session Created and User Account Created
  • Audit Log Record Format: The data model for messages that the Observer writes to the SIEM/Log Manager, based on Event Type
  • Audit Log Publisher: The message exchange patterns, such as publish and subscribe, that are used to communicate the Audit Log Records to the SIEM/Log Manager

These areas should be specified in some detail with the development and operations teams to make sure there is no confusion during the build process (building visibility in), but the same information is needed when selecting off-the-shelf monitoring products. For the Event Model and Audit Log Record, there are several standard log/event formats which can be leveraged, including CEE (from Mitre and ArcSight), XDAS (from Open Group), and PCI DSS (from you-know-who). CEE and XDAS give general purpose frameworks for types of events the observer should listen for and which data should be recorded; the PCI DSS standard is more specific to credit card processing. All these models are worth reviewing to find the most cost-effective way to integrate monitoring into your applications, and to make sure you aren’t reinventing the wheel.

To tailor the standards to your specific deployment, avoid the “drinking from the firehose” effect, where the speed and volume of incoming data make the signal-to-noise ratio unacceptable. As we like to say at Securosis: just because you can doesn’t mean you should. Or think about phasing in the application monitoring process, where you collect the most critical data initially and then expand the scope of monitoring over time to gain a broader view of application activity.

The Event Model and Audit Records should collect and report on the areas described in the previous post (Access Control, Threats, Compliance, and Fraud). However, if your application is smart enough to detect malice or misuse, why wouldn’t you just block it in the application anyway? Ay, there’s the rub. The role of the monitor is to collect and report, not to block. This gets into a philosophical discussion beyond the scope of this research, but for now suffice it to say that figuring out if and what to block is a key next step beyond monitoring.

The Event Model and Audit Records collected should be configureable (not hard-coded) in a rule or other configuration engine. This enables the security team to flexibly turn logging events up and down, data gathering, and other actions as needed without recompiling and redeploying the application.

The two main areas the standards do not address are the Observer and the Audit Log Publisher. The optimal placement of the Observer is often a choke point with visibility into a boundary’s (for example, crossing technical boundaries like Java to .NET or from the web to a mainframe) inputs and outputs. Choke points can be organizational (B2B connection), zone (DMZ/Internal), or state-based (account upgrade, transaction executed). The goal in specifying the location of the Application Monitor is to identify areas where valuable assets need not just protection, but also detection. A choke point in an application provides a centralized location to collect and report on inbound and outbound access. This can mean a WAF at the boundary of web applications, or it can be further down in the stack, but the choke point must have access to the message payload data and be able to parse and make sense of the data to be useful to security analysts.

The Audit Log Publisher must be able to communicate messages to the SIEM/Log Management platform using secure enterprise-class messaging. This means guaranteed delivery and that policies can define when messages are delivered in order, at least once, and at most once. Some examples of enterprise class messaging are JMS and MQ Series. The messages must also be signed and hashed for authentication and integrity purposes.

Where to Go Next

As with many application security efforts, Security must plan an integration strategy. After all, to build security in and monitor applications, the “in” means integration. This can be done at the edge of the application, as through a Web Application Firewall or Filter (where the integration is typically focused on resources like the URI and HTTP streams); or it can be integrated closer to the code through application logging in the application. The book “Enterprise Integration Patterns” by Gregor Hohpe and Bobby Woolf (and companion website: http://www.enterpriseintegrationpatterns.com/) contains plenty of useful real-world guidance on getting started with integration, including patterns for Endpoints (where application monitors may be deployed), message construction and transformation (where and how Audit Log Observers collect and report events), message channels and routing (how publishers send data to a SIEM/Log Manager), and systems management (making sure it works!). Whether delivered as an off-the-shelf product such as a WAF or in custom code, the combination of these patterns makes for an end-to-end integrated system that can report context straight from the authoritative source – the application.

No Related Posts
Comments

Great post, thanks - one clarification however: ArcSight does not use CEE; that is something being created by Mitre and is not implemented in any products, as far as I know. Here is a post on the CEE forum in August, by a Mitre engineer:

——
First of all, let me answer the question that is in all of your heads: No, CEE is not dead… After a slow start, the work pace has picked up over the past couple of months.

I apologize for the extremely long delay in posting any details regarding the state of CEE.
——

On the other hand, ArcSight makes its Common Event Format available to companies that wish to implement it, we have 30+ third-parties generating CEF logs, and just under 20% of the total global SIEM market uses CEF (i.e. ArcSight’s customer base).

By Rick Caccia


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.