Upload
trandung
View
222
Download
1
Embed Size (px)
Citation preview
© 2014 Imperva, Inc. All rights reserved.
Web Application Security
What really matters
Confidential 1
Thomas Drews
SE Manager Central & Eastern Europe
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
What is happening out there?
Are we prepared?
SecureSphere WAF
Incapsula
How does it all come together?
© 2014 Imperva, Inc. All rights reserved.
What is happening out there?
Confidential 3
Why is Application Protection needed
© 2014 Imperva, Inc. All rights reserved.
Industrialization of Hacking
Fraud
Hacktivism
DDoS
© 2014 Imperva, Inc. All rights reserved. Confidential 5
Hacktivism
© 2014 Imperva, Inc. All rights reserved.
What is Hacktivism?
CONFIDENTIAL 6
Hacktivism is the combination of
hacking and activism, often powered
by the use of social media
Drivers: usually political or ethical
Target: Any organization
58% of stolen records in 2011 were due to hacktivism1
1 Verizon Data Breach Investigation Report
© 2014 Imperva, Inc. All rights reserved.
Eyewitness Account of a 25-Day Attack
PHASE I
PHASE III
PHASE II
Scanners such as Nikto
Havij SQL injection tool
LOIC application
Business Logic Attack
Technical Attack
Technical Attack
© Copyright 2012 Imperva, Inc. All rights reserved. 7
© 2014 Imperva, Inc. All rights reserved. Confidential 8
Industrialization
© 2014 Imperva, Inc. All rights reserved.
Industrialization of Hacking and Automation
9
Researching Vulnerabilities
Developing Exploits
Growing Botnets
Exploiting Targets
Consuming
Direct Value – i.e. IP, PII, CCN
Command & Control
Malware Distribution
Phishing & spam
DDoS
Growing Botnets and Exploiting Vulnerabilities
Selecting Targets via Search Engines
Templates & Kits
Centralized Management
Service Model
Roles Optimization Automation
© 2014 Imperva, Inc. All rights reserved.
More than Half of Web Visitors are Automated
CONFIDENTIAL 10
© 2014 Imperva, Inc. All rights reserved.
Hacker Forum Statistics: Hackers Share Strategies
CONFIDENTIAL 11
DoS/DDoS 19%
SQL Injection 19%
Shell code 16%
Spam 14%
XSS 12%
Brute force 11%
HTML Injection 9%
dos/ddos
SQL Injection
shell code
spam
XSS
brute-force
HTML Injection
© 2014 Imperva, Inc. All rights reserved.
Automation is Prevailing
In one hacker forum, it was boasted that one hacker had found 5012
websites vulnerable to SQLi through automation tools.
Note:
•Due to automation, hackers
can be effective in small
groups – i.e. Lulzsec.
• Automation also means that
attacks are equal opportunity
offenders. They don’t
discriminate between well-
known and unknown sites.
© 2014 Imperva, Inc. All rights reserved. Confidential 13
DDoS
© 2014 Imperva, Inc. All rights reserved.
DDoS Attacks Fall into Two Major Categories
Confidential 14
Network Layer DDoS Attacks
• Consume all available upload and
download bandwidth to prevent access
to Web sites
Application Layer DDoS Attacks
• Application requests overwhelm the
Web server or database causing it to
crash
• The Website then becomes unavailable
Legit Traffic
Web
Requests
Web Server
© 2014 Imperva, Inc. All rights reserved.
Distributed Denial of Service (DDoS) Threats
DDoS Attack Tool
DDoS Statistics
• 74% of organizations received a
DDoS attack in past year1
• 31% of attacked organizations
suffered service disruption1
Most DDoS attacks are launched by
botnets, because of scale
• Toolkits automate DDoS attacks
• Botnets for rent from $50 - $2K
1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research
© 2014 Imperva, Inc. All rights reserved.
Commercialized DDoS
DDoS as a Service
CONFIDENTIAL 16
© 2014 Imperva, Inc. All rights reserved.
Commercialized DDoS
Customer satisfaction guaranteed!
CONFIDENTIAL 17
© 2014 Imperva, Inc. All rights reserved. Confidential 18
© 2014 Imperva, Inc. All rights reserved.
Web Fraud Costs Businesses Millions
Fraudulent payment transactions
• Chargeback fees
New account fraud
• Chargeback fees due to ID theft
• Bots email or post spam
Account login fraud
• Logins with stolen credentials
erodes brand
Man-in-the-Browser attacks
CONFIDENTIAL 19
© 2014 Imperva, Inc. All rights reserved.
Fraud Malware
CONFIDENTIAL 20
111,111 Number of unique strains of malware deployed per day
50% Percent of malware designed to compromise credentials
10,000 Malicious new domains deployed per day
Source: Aite Group
© 2014 Imperva, Inc. All rights reserved.
Are we prepared?
Confidential 21
Are we safe?
© 2014 Imperva, Inc. All rights reserved.
• Router ACLs
• Network Firewalls
• IDS and IPS
• VPNs
• Anti-Virus
What helped get us
secure…
• SQL Injection
• (XSS) Cross-site Scripting
• Remote File Inclusion
• Cross-site Request Forgery
• Business Logic Attacks
• Fraud Malware
isn’t keeping
us secure
Traditional Security Doesn’t Stop Today’s Threats
© 2014 Imperva, Inc. All rights reserved.
0%
20%
40%
60%
80%
100%
Why Haven’t We Solved This Problem?
1 2012 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
23
In 2012, 94% of all
data breached was
from servers such
as Web and
database servers1
”
Threat Spend
Yet well over 95% of the $27 billion spent on security products that do not directly address data security2
© 2014 Imperva, Inc. All rights reserved.
What does Gartner say?
Confidential 24
“IPS and NGFW were not designed to protect against
Web Application Attacks.
To prevent web application attacks, organizations need
a solution dedicated to that task …”
Download Link: https://www.imperva.com/lg/lgw.asp?pid=505
© 2014 Imperva, Inc. All rights reserved.
SecureSphere WAF
Confidential 25
Best in Class on-premise protection for Web
Applications
© 2014 Imperva, Inc. All rights reserved.
Production Operation of a WAF
Management
Tuning
• On-boarding Apps
• Mitigating Attacks
• Troubleshooting
• OPEX Costs
Confidential 26
© 2014 Imperva, Inc. All rights reserved.
Web Application
Firewall
Management Server (MX)
Users
Web Servers
Web Servers
Web Application
Firewall
Web Servers
Web Application
Firewall
Deployment Flexibility
© Copyright 2012 Imperva, Inc. All rights reserved. 27 - CONFIDENTIAL - 27
© 2014 Imperva, Inc. All rights reserved.
SecureSphere for AWS
28
Capabilities
Full SecureSphere WAF
Native support for AWS environment
• Cloud-formation deployment
• Elasticity via auto-scaling
Benefits
Reduced time-to-deploy
Reduced network complexity
Customers pay on as needed basis
(Shift of CapEx to OpEx)
Amazon
ELB
Amazon
ELB
Web
servers
Amazon
ELB
Web
servers
Scaling Group
Availability Zone 1
Availability Zone 2
© 2014 Imperva, Inc. All rights reserved.
By analyzing traffic, SecureSphere automatically learns…
Directories
URLs
Parameters Expected user
input
So it can alert on or block abnormal requests
Dynamic Profiling
© Copyright 2012 Imperva, Inc. All rights reserved. 29
© 2014 Imperva, Inc. All rights reserved.
1. Globally tracks attack sources
ThreatRadar Servers
Phishing Sites
Anonymous Proxy & TOR
Web Servers
Malicious IPs
3. Blocks malicious sources
2. Distributes feeds to WAF
ThreatRadar Reputation Services
- CONFIDENTIAL - 30
© 2014 Imperva, Inc. All rights reserved.
ThreatRadar Fraud Prevention Services
Confidential 31
Policy Based Fraud
Verification
© 2014 Imperva, Inc. All rights reserved.
ThreatRadar Community Defenses
Confidential 32
ThreatRadar Community Defense
Gathers live attack data from
SecureSphere WAFs around the world
Distributes attack patterns and
reputation data in near-real time
© 2014 Imperva, Inc. All rights reserved.
SecureSphere can import scan results and
instantly create mitigation policies
Eliminated payment processors’ emergency fix
and test cycles
Customer Site
Scanner finds vulnerabilities
SecureSphere imports scan results
Web applications are protected
Virtual Patching Through Scanner Integration
© Copyright 2012 Imperva, Inc. All rights reserved. 33
© 2014 Imperva, Inc. All rights reserved.
Incapsula
Confidential 34
Best in Class cloud based Protection for Web
Applications
© 2014 Imperva, Inc. All rights reserved.
Imperva Incapsula Overview
Confidential 35
By routing Website traffic through Incapsula, bad traffic is removed and
good traffic is accelerated
© 2014 Imperva, Inc. All rights reserved.
Imperva Incapsula Overview
Confidential 36
Incapsula is a cloud-based CDN solution which helps Website owners…
Load Balance Sites and Servers
© 2014 Imperva, Inc. All rights reserved.
Incapsula’s Global Content Delivery Network
Confidential 37
Datacenters
• Currently 17 PoPs, 3 Scrubbing Centers – 630Gbps+ capacity
USA 9 (Ashville NC, Ashburn VA, Los Angeles, San Jose CA, Chicago, New York, Miami, Seattle, Dallas), London, Singapore, Tel Aviv, Amsterdam, Tokyo, Frankfurt, Sydney, Paris
• Plans for many additional PoP and scrubbing centers
Toronto, San Francisco, Denver, Hong Kong, Sao Paulo, New Zealand and Milan
Data Across Borders
• Customer data can be locked into (or out of) specific countries
© 2014 Imperva, Inc. All rights reserved.
DDOS 3rd Party Review Imperva Incapsula #1 2013/14
Confidential 38
Source: http://ddos-protection-services-review.toptenreviews.com/
© 2014 Imperva, Inc. All rights reserved.
Web Security & Performance Service 3rd Party Review
Confidential 39
Source: http://website-security-and-performance-review.toptenreviews.com/
© 2014 Imperva, Inc. All rights reserved.
New: Fully Featured Load-Balancing Option
Failover to Standby site (DR Scenarios)
• Active/Passive Topology
• Choice of failover decision (e.g. min servers)
• Site failure may be determined by multiple POPs
Layer 7 Load Balancing
• Granular Server LB within a site (e.g. least requests)
• Connection Stickiness option
• Granular server monitoring and alerting
• Support for multiple ISP within a site
• Support for port address translation to preserve IP addressing
Global Server Load Balancing (GSLB)
• Active/Active Topology
• Site failure determined as per DR choices
• Global LB choice (e.g. by area, by fastest response)
• L7 monitoring (e.g. check URL response time and content)
© 2014 Imperva, Inc. All rights reserved.
How does it all come together?
Confidential 41
The BIG Picture
© 2014 Imperva, Inc. All rights reserved.
SecureSphere Appliance • App DDoS protection
• Incapsula available on demand as
needed
DDoS Attack Protection (Cloud + Premis)
Confidential
ISP
ISP
ISP
ISP
Incapsula Service • Always on for cloud users
• Volumetric & application attacks mitigated
• SOC team available for attack analysis & mitigation
42
© 2014 Imperva, Inc. All rights reserved.
SecureSphere WAF
Management Server (MX)
Web
Servers
Web
Servers
SecureSphere WAF
Web
Servers
SecureSphere WAF
Web App Security where You need it!
Confidential 43
SecureSphere WAF
Internet
© 2014 Imperva, Inc. All rights reserved.
Known Attackers
Bots
Web Attacks
Undesirable Countries
Web Fraud
App DDoS
Scrapers
Phishing Sites
Comment Spammers
Vulnerabilities
Web Apps
SecureSphere
Complete Protection Against Web Threats
© Copyright 2012 Imperva, Inc. All rights reserved. 44
© 2014 Imperva, Inc. All rights reserved.
Questions?
45 Confidential