Here is an online presentation I gave at WordSesh 2013. Always weird when you give an online presentation, unable to gauge the crowd and respond accordingly. Look forward to your feedback.
I’ll be in Miami this weekend, April 5 – 7th, 2013, for WordCamp Miami. I’ll be giving a new, updated, talk on Website Security on Saturday. You should come by and say hi if you’re around. If you’re not, no problem, you can see my slides here:
Here is the video recording of my talk on the presentation above. Unfortunately we had a few technical difficulties so you’ll have to follow on the slide deck I have above.
OSSSEC is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.
Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.
Unfortunately, one of the observations I have made is that the implementation of OSSEC is piss poor. They are not monitoring anything of value. The other observation is simplicity. What I have learned about my dear friend is that he doesn’t believe in complexity, where possible he tries to simplify, and while I know if he had the chance he would rewrite OSSEC, simplicity is still at its core. I mention this because it’s very important to note when you work with the application.
So let’s start there.
The one caveat I need to make is that I don’t run off the version of OSSSEC provided here: http://www.ossec.net/?page_id=19. I actually run off Daniel’s branch here: https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz. This includes almost all the changes provided in the latest version of 2.7 and is pulled into the latest versions on the main site.
Protect Your Website Vulnerabilities With a WAF – New Compairson Report – CloudFlare vs Incapsula vs ModSecurity
A new report came out in February, put together by Zero Science Lab, in which they compare the effectiveness between CloudFlare and Incapsula. In it they did the same thing Philip Tibom of Sweden did last year in his comparative report in which he concluded that Incapsula was the superior product. In this new report they included the use of TrustWave’s ModSecurity solution. The thing that website owners have to understand however is that comparing the three is a bit misleading.
Incapsula and Cloudflare are the two leading WAF solutions set up as a software as a service (SaaaS) designed to help every day website owners. CloudFlare probably trumps Incapsula actually in their marketing prowess. ModSecurity, although powerful, is the opposite. It’s something you’d have to configure and maintain on your web servers. It functions the same in that it filters the incoming traffic, but don’t be fooled, it has to be installed and configured and if you don’t know what you’re doing you will likely not render the results they present. That should not take away from its use, in fact I know Cloudflare uses it as part of their solution, not 100% on Incapsula. For the every day website owner, especially those on shared environments, unless you configure your own reverse proxy, ModSecurity will be of little value to you.
Given that ModSecurity is free, we signed up for both CloudFlare and Incapsula paid Business plan. They have noticeably different prices for their paid plans. CloudFlare Business Plan is $200/month (the WAF is also available in the
Pro Plan, for $20/month). Incapsula Business Plan is $59/month. – Zero Science Lab
My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.
Quick side note:
If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.
Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.