Live Security Monitoring
This article is intended for persons that are in charge of operations. It explains where to find the list of possible security events that are logged and how these security events can be monitored to automatically detect on the running application questionable till downright malicious activities.
According to the OWASP Top 10 it is vital to be able to notice if an application is under attack. A best practice to do so contains
- Monitor the Security Logs
- Scan new log entries for security events
- Evaluate if a certain combination of events should generate an alert in an automated way
- Automatically react on a security alert (e.g. by triggering a notification)
Monitor Security Logs
Inside the Tomcat Log folder you will find the applications security log as well. It is named like: [BOC PRODUCT NAME]_Security.log There are different third party tools that allow you to live monitor this log file and allow you to react on new log entries. A common pattern that is widely used and that we use in our cloud solution as well is a combination of Elasticsearch, Logstash, and Kibana.
Scan for New Security Events
Once you are able to access live log information the next step is to scan for security events.
The following list contains all security event types that the application in this version might trigger: Security Event Types
Each security event type has a unique ID and a technical description.
Next you need to know the pattern of a security log entry:
%d{ISO8601} %X{sec-severity} [%t] [SECURITY] [C\=%X{sec-category}] [IP\=%X{sec-sourceip}] [UA\=%X{sec-useragent}] %m%n
The important properties are:
%d{ISO8601}
: The timestamp of the log entry%X{sec-severity}
: The severity of the event[C\=%X{sec-category}]
: The ID of the security event type[IP\=%X{sec-sourceip}]
: The hash value of the IP address[UA\=%X{sec-useragent}]
: The user agent if available%m%n
: An informative message with additional details
An example looks like this:
2019-03-19 11:24:07,997 INFO [http-nio-8080-exec-5] [SECURITY] [C=ADODEBUG3] [IP=1719016235] [UA=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.12] [S] [A82CE5B4E253B5443AFA77FCB1CC5909:10172] Changed session debug mode to: true
Triggering a Security Alert
Not every security event requires an action. It can also be that only a certain frequency of occurence of a security event type in between a certain time frame should cause a security alert.
The file Security Alert Pattern describes patterns of security event type occurence in the log file that should cause a security alert. This information is written using the JSON format to allow automatic processing. The JSON contains a version information and as the main part the list of detection points. Here is an example of a detection point:
{
"id": "DP004",
"description": "Attack on authorization: An attacker tried to trigger admin functionality although he did not have the right to do so.",
"attackType": [
"Elevation of Privileges Attempt"
],
"trigger": {
"type": "SecurityLoggerEventTypeTrigger",
"eventID": "ADOADMIN1",
"threshold": {
"once": true
}
},
"actions": [
{
"type": "notificationAlert"
}
]
}
It contains following properties:
- id: The unique ID of the detection point.
- description: A short description what the cause for this log pattern could be.
- attackType: A categorization of the type of the attack attempt that is happening
- trigger: How the security alert of this detection point will be triggered.
- type: What alert mechanism caused this trigger. E.g. In our case it will be the SecurityLoggerEventTypeTrigger
- eventID: The ID of the security event type according to the Security Event Types list
- threshold: information how often the event needs to happen in a certain time frame before the alert is triggered
- actions: a list of actions that should automatically happen in case the alert has been triggered
You can use this information to configure your preferred monitoring tool to detect security alerts and react on them.
In case you want to have the protection of live monitoring for security alerts but do not want to bother with the configuration and operations of it please consider using our excellent cloud based solution where BOC will take care of this.