Can Correlations Protect Web Applications?

Last month I presented at OWASP AppSec EU in Athens a presentation about correlations and their role in application security. You can find the presentation here.

In a nutshell

I have been thinking about how to best use correlations to enhance application security for long. Nearly ten years ago I designed a correlation engine for an early Web Application Firewall. The supposition was that by combining several detection engines or by examining recurring events attack detection can enhanced. Today most Web Application Firewalls offer a feature labeled “correlations” that builds on this promise.

At the time, the web was still in its first version, and attacks were mostly injection attacks. Since then both threat landscape and web technology have evolved. Threats such as ticket scalping, web scraping, click fraud and auction sniping are causing more damage than injection attacks but are much harder to detect and mitigate. Therefore it might be just the time for a second attempt at using correlations for securing applications.

What will you find in the presentation?

Problem space:

• Survey of emerging web threats. In addition to those listed above we will also look at SEO, game bots and survey hacking and some more well-known threats such as brute forcing and denial of service.
• Analysis of common characteristics of those threats and the challenge in detecting them.

Solution space:

• Overview of correlations and how they can help detect and mitigate those threats.
• Review of the correlation capabilities and limitations of several leading Web Application Firewalls (WAFs).
• The advanced correlation capabilities of Security Information and Event Management (SIEM) systems and how those can augment WAFs to better detect and mitigate business logic threats.