Six Pillars Of Security, #3: Detection Of Breaches


  • Good visualization and graphing can expose suspicious activity.
  • Tools like Datadog are invaluable when coupled with appropriate queries/visualization.

  • For example, if a user or client is generating a lot of backend usage from a comparatively small number of requests, this can be a sign of a breach. If the front-end to back-end activity ratio per user is plotted, you can see this happening in real time.
    • In this example, monitoring and graphing database read/out volume would be a quick and easy measure; simple data breaches normally show up as a ‘swell’ in outbound data. More sophisticated attackers will extract the data slowly over a period of time to avoid such detection, so more specialized graphing and alarms would be needed e.g database usage aggregated over time, against average usage for that user.
  • Likewise, response size is a good indication of a breach/extraction; if someone is trying to steal information, then the amount of data per response is likely to be higher.
  • Looking for large numbers of bad requests, 404’s, ‘bad search parameters’ etc. is a good metric as well, as it’s a sign that someone is trying out different things with your API.
  • Basic Action Points For A Team:
    • Set-up basic monitoring for unusual activity volumes/frequencies/sizes etc, especially relating to other metrics eg. amount of database activity generated by a particular request or user (in the case of a database export). Tools like Datadog would be good here.
    • Set-up monitoring for bad requests/404’s/bad search parameters; these can be a sign of someone trying to guess a resource-id or probing how to access your system.
    • Investigate other options/possibilities for monitoring/visualization, specific to your project.
    • Understanding the threat model of your project, and what kind of attacks you are likely to encounter is key here -the belief is that commercial attackers are our main threat; is this accurate?

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s