Can Behavioral-based Technology Benefit the

Secure Software Development Life Cycle?

Speaker: Bob DeWolfeTitle: Core Security EvangelistCompany: DB Networks

Agenda

Problem: SQL Injection

Who’s watching the “The Core”?

Can “behavioral-based” technology show you what is happening in The Core?

Can this technology help AppSec identify vulnerabilities/malicious activities in The Core?

SQL Injection Hall of Shame (# of Records or $ Loss)

2013

2012

2011

2010

2009

2007

50,000,000

11,000,000

7,000,000

1,000,000

FBI/NASA1,600,000

4,200,000

(Jordan)800,000

150,000

37,000

Get

tin

g w

ors

e

6,500,000

http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

100,000

130,000,000 records

2,000,000$200M in losses

2008 $1.7M loss

2,000,000450,000

500,000

950,000 records

$92M in losses

$9M in losses

Current News … Teen Hackers … $100M

Current News … Target … 40M CC … 70M PII

Current News … JP Morgan Chase

2009 - 2012 … $300M + 160M CCNASDAQ, JCP, Discover, Heartland, Hannaford

How often do breaches get reported in the press?

10% of the time?1% of the time?

0.1% of the time?0.01 % of the time?

Of those, how often is the exploit reported?

10% of the time?1% of the time?

0.1% of the time?0.01 % of the time?

You do the math

All while growing in importance and flashing red on our dashboards

Independent research confirms threat level, pervasiveness, and growth

Sample Size = 50 organizations; 63,000 incidents; 1367 confirmed breaches

Independent research confirms threat level, pervasiveness, and growth (April 2014)

Sample Size = 595 respondents; Copies available

Independent research confirms threat level, pervasiveness, and growth (April 2014)

How can this be happening 15 years later?

• Inadequate investment in perimeter security (IDS/IPS, WAF)?• Nope. That has consumed the vast majority of IT security

spending for over 25 years.

• Poor Secure Coding?• Nope. I’m personally familiar with the AppSec & developer

focused preventive technologies and education programs at JPMC, Target, and NASDAQ BEFORE the breaches.

• Lacking Real Time Pre-Production Detective Solutions?• Nope. These organizations have invested heavily in DAST

and Penetration Testing and have worked hard to feed these solutions with SAST findings.

How can this be happening 15 years later?

There is no Silver Bullet for completely preventing Core Network Security

breaches … including SQL and LDAP Injection.

How can this be happening 15 years later?

But aren’t these infallible against SQL Injection?

• Stored Procedures• Nope: Dynamic SQL with Execute Immediate

• Parameterized Queries• Nope: Inadequately coded (not fully bound)• Nope: Need for SQL keywords, table names, column names• Nope: Ad-hoc / Dynamic SQL requirement / too many combinations

• Escaping Input• Nope: Integer-based SQL Injection

What about LDAP? JNDI?

How can this be happening 15 years later?

But my organization uses (false negatives listed):• SAST

• Broken Dataflow Analysis; Missing Code; Improper Criticality; Missing Custom Rules; etc.

• DAST / Penetration Testing• Blind SQL Injection; Unknown Attack Surface; Missing Workflow

Macros; Insufficient Authentication Credentials; Web Services; etc.

• WAFs• YouTube: “WAF Bypass”; Character Encodings; Infinite # of Signatures

Needed due to SQL Language Options; SSL/TLS

• Secure Coding initiatives• Competing priorities; Differing education levels; Gaps on prior slide

Lots of slides / data to support this … come talk to me

How can this be happening 15 years later?

Still not convinced? How about:

• COTS / 3rd Party Components, Libraries, Applications

• Apps without Funding for Enhancement / Remediation

• Apps without Source Code for Remediation

• App Dev groups that don’t see the priority

• Any App you can’t securely code

What to do?

Continue using education, people, process, and technology to prevent and identify

vulnerabilities+

Monitor your Production Core Network

Core Network Monitoring

If there is no Silver Bullet and all of the techniques we’ve used for the past 15 years have gotten us to this point, we need to be monitoring our Production Core Network (DB, LDAP, etc.) and acting in Real Time to thwart them before attackers get a foothold.

• Blacklist? Nope … easily circumvented (just like WAFs are)• Whitelist? Nope … impossible to maintain / blocks legit App requests• Signatures? Nope … infinite combinations for SQL/LDAP languages

Behavioral

Whose watching ”The Core”?

Perimeter

Core

Web / ApplicationServers Database

Servers

Network F/W

WAF

Network IDS

Network DoS

NAC

VPN

Reverse Firewall

Load Balancer

Critical AssetProtection

Can Behavioral-based Technology Help?

Traditional blacklist / whitelist technologies cannot detect targeted attacks

An affirmative defense is necessary

“Know what you have. Know when it changes.”

DBA Access

Application Servers

Discovered App servers

Discovered DBs

Undocumented DB

Attribution Requested

It’s all in the protocols…

Incorporate TIME

Busy App servers

Busy connections

Inactive DB

Newly discovered DB

Newly discovered app servers

Achieving the Behavorial-based Vision

1• Decode Protocols (includes proprietary)

• SQL, No-SQL, FTP, Active X, LDAP, other…

2• Organize the Data Collected

• Create an easy-to-use Learning System

3• Create a Behavioral Model

• Identify deviations from the behavior learned

An Example: SQL Protocol

• SQL Protocol contains a Wealth of Information• Know what you have! (static information…)

• Applications & Application Servers• Database Servers & the Databases that available• Other end point access…

• Things we’ve seen in the wild…• Databases sessions operating wireless networks• Application Development mapped into Production DB’s• Gbytes of unexpected traffic at unexpected times

• Know when it changes! (dynamic information…)

• New database online, or database inactive• New end point active, new Application server introduced• And the potential for enforcing Policy

No Rules to write or maintain, ever! Improved accuracy in attack detection Cannot be defeated through obfuscation

40% - 60% of the SQL generated is sufficient Key advantage versus blacklist/white list

Learning can be done quickly / automatically Manual exercise for many applications Automated load generation DAST “spidering” w/ OWASP ZAP Proxy

The Benefits of Behavioral Machine Learning

Target sql(175): select USERID from login where userName='alex' and password='alexpass'

Suspect sql(185):select USERID from login where userName= '' or 1=1 --' and password=‘junkpass'

Sophisticated, Real-Time SQL Inspection

Is this SQL statement known safe?

Does it contain Suspicious SQL?

Insertion on Known, Safe Statement?

Does Insertion Fall on a Literal Boundary?

Is request syntactically consistent?

Certain

No

Maybe

Yes

Yes

Yes

Traditional SDLC: QA/Test Environment

3rd Party & In-House developed applications Including SCADA

DAST cannot identify vulnerabilities without a return signal Payload Response Error Message, etc.

Vulnerabilities make their way into Production Blind SQL Injections

Development

QA/Test Production

Extended SDLC: Continuous Monitoring

Vulnerability detection continues in Production The most cost effective way to

identify & remediate vulnerabilities Including Blind SQL Injection

Natural application usage exposes vulnerabilities A continuation of

SDLC benefits

Rogue SQL Confirm no Dynamic SQL Monitor in tandem w/ SOC

Development

QA/Test ProductionQA/Test

Core IDS Installed

Case Study Medical Website

Lost PCI Certification because of a breach 10,000 usernames/passwords compromised Implemented Core IDS in Production

6-months later during PCI Re-certification Core IDS discovers a Blind SQL Injection

Commercial DAST reported “no vulnerabilities found” PCI Certification granted that afternoon

Today Core IDS is supporting their SDLC 2 attacks & 12+ vulnerabilities identified

Normal application usage Orderly remediation

Conclusions

• Behavioral-based technology can benefit AppSec• Confirm that your applications are behaving the

way you intend them to behave• Test & monitor 3rd Party / COTS applications• Identify Blind SQL Injections

• Visibility beyond just QA/Test• Identify user-generated SQL vulnerabilities• Know that you have been attacked before the attacker knows

• The technologies is available today!• Easy to implement & Easy-to-Use• Demonstration available

Questions?

Pass The Word Companion Presentation

Identifying and Tracking Critical Software Infrastructure Using Behavioral-based Continuous Monitoring

Applicable to: ISSA, ISACA, OWASP, BeWize, IAPP, ISC2 Chapters

Animations:Continuous Monitoring & Analysis (2:15 min.)Adaptive Behavioral Analysis (2:01 min.)

New Whitepaper!Title: “SQL Injection Defense: There are No Silver

Bullets”

Companion Presentation Identifying and Tracking Critical Software

Infrastructure Using Behavioral-based Continuous Monitoring Applicable to: ISSA, ISACA, OWASP, BeWize,

IAPP, ISC2 Chapters

Animations:Continuous Monitoring & Analysis (2:15 min.)Adaptive Behavioral Analysis (2:01 min.)

New Whitepaper!SQL Injection Defense: There are No Silver

Bullets

Thank You

Speaker: Bob DeWolfeTitle: Core Security EvangelistCompany: DB NetworksEmail: bob.dewolfe@dbnetworks.com