[Owasp-appsensor-project] Additional Detection Points - Suspicious External User Behavior

Michael Coates michael.coates at owasp.org
Thu Jun 10 19:04:50 EDT 2010


I think this is a neat idea, being able to integrate multiple monitoring 
points. I think its worth listing as a detection point in our 
documentation, but we should include some text on our concerns.

My main concern is that the power of appsensor is built on its accuracy 
and low false positive rate.  Other products typically do not take that 
same approach and have large quantities of false positives.  So any 
information from another product should only be used to possible make 
AppSensor perform more logging or be more sensitive for a particular 
user.  Ultimately this is always an organizations decision based on 
their response policy in AppSensor, but I think this guidance would be 
important here.

Michael Coates
OWASP


On 6/9/10 7:09 PM, John Melton wrote:
> Not sure I'm on board with this one ... someone else can correct me if 
> I'm wrong, but this actually doesn't fit in the "application" doing 
> detection.  By definition, something outside the app is doing the 
> detection and is feeding that info to the app.  I think these are 
> worthwhile sensors that can produce data that an application could use 
> to make decisions, but as for it being considered app detection, I 
> don't generally see these as falling into that category.  I may be 
> convinced otherwise however :>.
>
> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org 
> <mailto:colin.watson at owasp.org>> wrote:
>
>     Suggestion to add a new detection point.  Has this already been ruled
>     out?  Should it be added?  Is the description/categorization suitable?
>
>     Source
>     -----------------------------------
>     [Owasp-appsensor-project] AppSensor Feedback/Ideas, Sat Nov 21
>     13:32:39 EST 2009
>     https://lists.owasp.org/pipermail/owasp-appsensor-project
>     On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson
>     <colin.watson at owasp.org> wrote:
>     Suggestion to add a new detection point.  Has this already been ruled
>     out?  Should it be added?  Is the description/categorization suitable?
>     /2009-November/000008.html
>     <https://lists.owasp.org/pipermail/owasp-appsensor-project/2009-November/000008.html>
>
>     Description
>     -----------------------------------
>     External (to the application) devices and systems (e.g. host and
>     network IDS, file integrity monitoring, disk usage monitoring,
>     anti-malware service, IPS, network firewall, web application firewall,
>     web server logging, XML gateway, database firewall, SIEM) have
>     detected anomalous behavior by the user (e.g. session or IP address).
>
>     Suggested categorization
>     -----------------------------------
>     In the suggested new category "Reputation" (see RP1 Suspicious
>     User IP Address)
>     RP2 Suspicious External User Behavior
>     _______________________________________________
>     Owasp-appsensor-project mailing list
>     Owasp-appsensor-project at lists.owasp.org
>     <mailto:Owasp-appsensor-project at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100610/8cba4497/attachment.html 


More information about the Owasp-appsensor-project mailing list