This is a guest blog post. Views expressed in this post are original thoughts posted by Glen Kemp, Solutions Consultant at SecureData Europe. These views are his own and in no way do they represent the views of the company he works for.
At the recent Juniper Networks Champions Conference in Berlin, a friendly SE organised a session with the Mykonos VP and product manager. A small group of partners turned into a substantial crowd by the end of the session. When partners and Juniper's own people alike start to take an interest like that, you know there is something new and exciting on offer.
Mykonos is described as "Web Intrusion Deception" and straddles three more traditional security areas; Intrusion Detection Systems (IDS), Web Application Firewalling (WAF) and Network Honeypot (HoneyNet). The Mykonos approach is interesting in that rather than inspecting traffic looking for specific signatures or locking down web applications to very rigid I/O, it dynamically modifies pages so that they would appear to be a very tempting target. Mykonos works on the premise that the behaviour of a would-be intruder is different from that of a legitimate web customer. Consider these "real world" scenarios:
Man number 1 walks into a jewellery shop. He asks the shop keeper for advice on buying a second-hand watch. The shop keeper opens some locked glass cabinets. A selection is made and the customer makes a purchase with a credit card and leaves with a cheery doff of the cap.
Man number 2 walks into a jewellery shop. Immediately he starts to try and prise open the glass on each of the cabinets. When that fails he pulls an enormous bunch of keys from his pocket and systematically tries every one. By chance, one cabinet is unlocked and the "customer" stuffs his pockets with the contents. A random, expensive looking tiara is selected and dragged to the till. The "customer" then attempts to pay with monopoly money, then an obscure currency then finally an iffy-looking credit card. The transaction is completed and our mischievous friend bolts from the shop, only to be replaced by a dozen similar men moments later attempting to return obviously fake tiaras to a variety of different credit cards.
Even the most indifferent teenage shop assistant would be stabbing the silent alarm with 30 seconds of our second friend entering the shop. Security technologies (and by extension, IDS and WAFs) are very good at comparing lots of numbers to another set up numbers and telling you whether they are greater or lesser than a previous set of numbers. IDS and WAFS look for very specific sets of rules and if they match, flag an alarm. If something falls outside of those parameters IDS will allow whilst WAFS will block.
Mykonos behaves like a human shopkeeper; he doesn't know what the customer wants to buy until he asks, but he can easily observe and identify "bad" behaviour or just a slow or eccentric customer. This "human behaviour" based analysis is something that traditional security systems have been bad at emulating, but Mykonos seems to have nailed it. To "seed" the "bad" behaviour of the would-be attacker, the Mykonos software transparently injects "tempting" looking but ultimately useless code and objects into the session. To return to our "jewellers" scenario, it would be like deliberately installing lots of open cabinets of fake watches around the shop. It doesn't actually impact the normal line of business in any significant way, but would waste the time of the attacker. The goal is to ensure that customers get good services, whilst lead hackers down a series of increasingly elaborate garden paths. This makes it uneconomic for attackers to keep trying your site and go and find a softer or more lucrative target elsewhere.
The key advantage of this technique over traditional IDS and WAFS systems is that there is much less operational overhead with Mykonos. IDS systems (even the good ones) need a lot of policy work in order for them to work as designed. Traditional WAFS suffer from the fact that also require deep application knowledge; this is a laborious process and can easily "break" the apps they are designed to protect; a price which may be too high for some. My own experience with WAFS is that it forces the application development and network security teams to work in complete harmony, otherwise the business process they respectively maintain and protect can easily be made unusable. Here is an example were WAFS could create a significant problem. Recently in the EU and the UK the laws changed regarding how websites can handle cookies. The impact itself was pretty minor; essentially just provide the user fair warning of what you are doing. These kinds of things tend to be left to the last minute. A stressed development team could easily throw the changes in on a Friday afternoon, test in the pre-production environment and then push to live before packing up for the weekend. Come Monday morning, it's discovered that the production e-commerce site has been throwing error 500's to customer all weekends as the support pages for the cookie tracking changes have not been "learned" by the WAFS (which is helpfully only deployed on the production systems for cost reasons). Customers and revenue would be impacted, as well as egg on faces. These kinds of issues just would not occur with a product like Mykonos as it assumes the code on the web server is what the business wants to serve to customer.
Such is my enthusiasm for the product that I'm intending to deploy it to supplement our more traditional security controls as a matter of urgency in the next few weeks, and hopefully some customer environments in the next few months.