[Owasp-appsensor-project] Additional Detection Points - Suspicious External User Behavior

Colin Watson colin.watson at owasp.org
Fri Jun 11 04:47:05 EDT 2010


Michael and John

Okay I will add it but with as much explanation as possible.  I think
the concern about increasing the false positive rate is important...
and possibly leads into some more discussion about response actions.

Colin

On 11 June 2010 00:04, Michael Coates <michael.coates at owasp.org> wrote:
> I think this is a neat idea, being able to integrate multiple monitoring
> points. I think its worth listing as a detection point in our documentation,
> but we should include some text on our concerns.
>
> My main concern is that the power of appsensor is built on its accuracy and
> low false positive rate.  Other products typically do not take that same
> approach and have large quantities of false positives.  So any information
> from another product should only be used to possible make AppSensor perform
> more logging or be more sensitive for a particular user.  Ultimately this is
> always an organizations decision based on their response policy in
> AppSensor, but I think this guidance would be important here.
>
> Michael Coates
> OWASP
>
> On 6/9/10 7:09 PM, John Melton wrote:
>
> Not sure I'm on board with this one ... someone else can correct me if I'm
> wrong, but this actually doesn't fit in the "application" doing detection.
> By definition, something outside the app is doing the detection and is
> feeding that info to the app.  I think these are worthwhile sensors that can
> produce data that an application could use to make decisions, but as for it
> being considered app detection, I don't generally see these as falling into
> that category.  I may be convinced otherwise however :>.
>
> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
>>
>> Suggestion to add a new detection point.  Has this already been ruled
>> out?  Should it be added?  Is the description/categorization suitable?
>>
>> Source
>> -----------------------------------
>> [Owasp-appsensor-project] AppSensor Feedback/Ideas, Sat Nov 21 13:32:39
>> EST 2009
>> https://lists.owasp.org/pipermail/owasp-appsensor-project
>> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>
>> wrote:
>> Suggestion to add a new detection point.  Has this already been ruled
>> out?  Should it be added?  Is the description/categorization suitable?
>> /2009-November/000008.html
>>
>> Description
>> -----------------------------------
>> External (to the application) devices and systems (e.g. host and
>> network IDS, file integrity monitoring, disk usage monitoring,
>> anti-malware service, IPS, network firewall, web application firewall,
>> web server logging, XML gateway, database firewall, SIEM) have
>> detected anomalous behavior by the user (e.g. session or IP address).
>>
>> Suggested categorization
>> -----------------------------------
>> In the suggested new category "Reputation" (see RP1 Suspicious User IP
>> Address)
>> RP2 Suspicious External User Behavior
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list