securesphere threatradar: improve security team productivity and focus

© 2015 Imperva, Inc. All rights reserved.

SecureSphere ThreatRadar Improve Security Team Productivity and Focus Pravin Rasiah, Sr. Product Manager, Web Application Security, Imperva Morgan Gerhart, VP Product Marketing, Imperva

© 2015 Imperva, Inc. All rights reserved.

Speakers

Confidential 2

Pravin Rasiah Senior Product Manager

Morgan Gerhart VP, Product Marketing

© 2015 Imperva, Inc. All rights reserved.

Hackers Exploiting Same Old Vulnerabilities

Confidential 3

Source: Verizon 2015 Data Breach Investigation Report

© 2015 Imperva, Inc. All rights reserved.

Hackers Exploiting Same Old Vulnerabilities

Confidential 4

“99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”

Source: Verizon 2015 Data Breach Investigation Report

Confidential 5

96% of applications

have vulnerabilities Source: Cenzic

6 Confidential

Confidential 7

Industrialized Hacking gives hackers extreme leverage

90% of security events

from known bad actors Source: Imperva

90% 60%+ of security events

from known bad actors of website traffic

is non-human Source: Imperva Source: Imperva

© 2015 Imperva, Inc. All rights reserved.

Example 1: Global Financial Services Firm

•  Suspected it had a known bad traffic problem –  Some visibility from feeds from other vendors –  Way too much chaff/noise –  No visibility into how this traffic was impacting apps –  Only detection, no protection

Confidential 10

© 2015 Imperva, Inc. All rights reserved.

Example 2: SaaS Provider

•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most from script kiddies, malware sources and maliscious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

Confidential 11

© 2015 Imperva, Inc. All rights reserved.

SecureSphere ThreatRadar

Confidential 12

•  Global Threat Intelligence Service

•  Globally crowdsourced

•  Curated by Imperva ADC

•  Adds “gods-eye” context of threat landscape to WAF

© 2015 Imperva, Inc. All rights reserved.

SecureSphere ThreatRadar

Confidential 13

More productive, more focused security engineering team

Cut infrastructure costs Demonstrate better

security posture

© 2015 Imperva, Inc. All rights reserved.

Example 1: Global Financial Services Firm

•  Suspected it had a known bad traffic problem –  Some visibility from feeds from other vendors –  Way too much chaff/noise –  No visibility into how this traffic was impacting apps –  Only detection, no protection

Confidential 14

© 2015 Imperva, Inc. All rights reserved.

Example 1: Global Financial Services Firm

•  Suspected it had a known bad traffic problem –  Some visibility from feeds from other vendors –  Way too much chaff/noise –  No visibility into how this traffic was impacting apps –  Only detection, no protection

•  ThreatRadar showed known bad was several times worse than suspected –  12 million events in last 6 months, 11 million filtered by ThreatRadar –  Geographic reputation spotlighting potential state-funded/state-sponsored actors

•  Today –  90-95% of protections utilize ThreatRadar –  Business trusts SecureSphere (not worried about false positives/blocking legit traffic) –  Less network traffic (behind the WAF, of course)

Confidential 15

© 2015 Imperva, Inc. All rights reserved.

Example 2: SaaS Provider

•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most from script kiddies, malware sources and maliscious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

Confidential 16

© 2015 Imperva, Inc. All rights reserved.

Example 2: SaaS Provider

•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most security events from script kiddies, malware sources and malicious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

•  ThreatRadar showed –  10-30% of traffic was from known bad sources –  80-90% of security alerts associated with traffic from known bad

•  Today –  Filter and ignore the 80-90% that is known bad –  Prioritize and focus on what is left – “that’s the really worrisome stuff” –  Noticed some actors have “given up”

Confidential 17

© 2015 Imperva, Inc. All rights reserved.

More Focused, More Productive Team

Confidential 18

Eliminate the “noise” from known bad, and prioritize on truly worrisome

Before

© 2015 Imperva, Inc. All rights reserved.

More Focused, More Productive Team

Confidential 19

Eliminate the “noise” from known bad, and prioritize on truly worrisome

Before After

© 2015 Imperva, Inc. All rights reserved.

More Focused, More Productive Team

Confidential 20

Suspicious SQL Syntax

© 2015 Imperva, Inc. All rights reserved.

More Focused, More Product Team

Confidential 21

Suspicious SQL Syntax

vs.

Suspicious SQL Syntax + Know SQLi IP

© 2015 Imperva, Inc. All rights reserved.

More Focused, More Product Team

Confidential 22

Suspicious SQL Syntax

vs.

Suspicious SQL Syntax + Know SQLi IP

Increased WAF Accuracy

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 23

Spam Marketing

Spamdexing: Reputation

Impact

Fraud

DDoS

Manual Reviews

Malicious Traffic

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 24

Spam Marketing

Spamdexing: Reputation

Impact

Fraud

DDoS

Manual Reviews

Malicious Traffic Keep Forms Safe

Gain Backend Efficiencies

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 25

10-50% OF WEBSITE TRAFFIC FROM

KNOWN BAD ACTORS

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 26

10-50% OF WEBSITE TRAFFIC FROM

KNOWN BAD ACTORS

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 27

10-50% OF WEBSITE TRAFFIC FROM

KNOWN BAD ACTORS

© 2015 Imperva, Inc. All rights reserved.

Reduce Infrastructure Costs

Confidential 28

10-50% OF WEBSITE TRAFFIC FROM

KNOWN BAD ACTORS

More efficient WAF Fewer logs entries Less disc needed

Fewer events to SIEM

© 2015 Imperva, Inc. All rights reserved.

Globally Crowdsourced

Confidential 29

Malicious IPs Phishing URLs

Anonymous Proxy

ToR IPs

Comment Spam IPs

RFI IP Forensics

SQLi IPs

Scanner IPs

Scraping BOTS

Credit Card Cycling

Registration BOTS

© 2015 Imperva, Inc. All rights reserved.

Demonstrate Better Security Posture

•  Who’s on your network?

•  Who’s trying to get on your network?

•  Where are they coming from?

•  How are they attacking?

•  How effectively are you mitigating “known bad”?

Confidential 31