Companies are continuously collecting and storing more and more data about every aspect of their web applications, from error monitoring to business KPIs such as performance monitoring. Each monitoring platform usually presents an analytical view and thanks to custom visualizations and dashboards, we can finally achieve data correlation with all these views in one place!
Having a business dashboard showing a drop of user engagement and a technical dashboard showing a huge drop of performance on the same page can speed up your decision process and help your team to be more efficient. But security information such as the number of XSS attacks, SQL injections paths or bad bot traffic have generally been left behind.
Here at Sqreen, we protect our customers against thousands of attacks every month, and we’re already using all this data to make our protection more efficient every day. Although we try to present the most comprehensive analytics view possible on our dashboard, sometimes nothing can beat a custom security dashboard displayed in the same place as your business and performance KPIs.
We have decided to offer our customers the possibility to export all of our data in real-time to a data analytics platform of their choice. The first data analytics platform we have chosen is naturally New Relic Insights (https://newrelic.com/insights) as it is very popular with our customers. The integration between Sqreen and New Relic Insights is simple: all you need is a New Relic account ID and API key, and Sqreen will send attack information to your New Relic Insights account in real-time. No firewall or special configuration is necessary; it’s almost as easy as installing Sqreen!
Data Analytics Platforms
Data Analytics Platforms like New Relic Insights allow you to use your raw data to extract the maximum amount of values possible by writing custom queries, aggregations, and correlations.
You can, for example, show the number of times your customer’s login on your application and group your customers per country, then check another dashboard to see the latency per country and determine if there is a correlation between your application’s performance and your customer base engagement.
Now you can do the same with your security data, for example, you could display both the user engagement and a number of attacks per country on the same dashboard in order to be more focused on support requests from specific countries with low-engagement and a high number of attacks. The key to the success of a data analytics platform is to try to answer your questions by presenting patterns in your data in an easy to understand format
Integrating Sqreen in NewRelic Insights is really easy. Here is an example of how you can do it in Python. It only takes five lines of code:
The product is very simple to use, and is designed for everyone from developers to DevOps, and even allows the Product team to write and share their custom dashboards by writing pseudo-SQL to visually represent their data. You can even put your dashboards on a wall-mounted TV to make them available to everyone in the office.
Data sent to New Relic Insights
Data Analytics Platforms need raw data to work on, so what information are we making available? For the moment we’re only sending attack data on New Relic. The attacks will be pushed with the eventType
sqreen_attacks and the following fields:
|path||The path attacked||/admin.php|
|ip_address||The attacker IP address||172.17.3.46|
|type||The attack type||bot_scanning, xss_injection, sql_injection, …|
|verb||The HTTP verb used||GET, POST, PROPFIND, UNCHECKOUT, …|
|user_agent||The attacker user_agent||Arachni, Mozilla/4.0, …|
|scheme||The scheme of the attack point||HTTP or HTTPS|
|geo_country||The computed country behind the attacker IP||MYS, USA, …|
|geo_city||The computed city behind the attacker IP||Dublin, Paris, …|
|geo_latitude||The computed latitude behind the attacker IP||9.51|
|geo_longitude||The computed longitude behind the attacker IP||51.1|
The traceback is very valuable, but we’re still trying to figure out the best way to format it for New Relic Insights.
Example of dashboards:
With all this data, what kinds of dashboards can you create?
You can start with a very general overview:
Drill-down to a specific country (dashboard query:
“SELECT count(*) from sqreen_attacks facet geo_country since 1 week ago WHERE country=’MYS’”), for example, Malaysia (MYS):
You could then go even deeper and filter on attack type (
SELECT count(*) from sqreen_attacks facet subtype since 1 week ago WHERE country=’MYS’ and subsubtype=’sensitive_data_exposure’):
Or filter by path (
SELECT count(*) from sqreen_attacks facet subtype since 1 week ago WHERE path=’/admin/i18n/readme.txt’):
You can now learn everything you need. To quote Sun Tzu, “Know your enemy and know yourself and you can fight a thousand battles without disaster.” (The Art of War).
Configure your New Relic Insights integration
To configure the New Relic Insights integration, go to your New Relic Insights page (https://insights.newrelic.com/), click on “Manage data” > “API Keys” and create a new key by clicking on the “+” button.
Copy your Account ID and the generated Key, and go to Sqreen application settings and integrations:
You then just need to paste your Insight Account ID and Key under the “New Relic Insights” panel:
And start building your own security dashboards!
You no longer have excuses to keep your security data under lock and key!
Signup now to get real-time security metrics in your NewRelic Insights.
About the author
Boris is a true Python addict. Boris enjoyed working on scalability issues of a machine-learning infrastructure in the past. He is also a SaltStack lover, and you will probably meet him in various meetups!