web application security - netwell ltd moscow web-a… · © 2014 imperva, inc. all rights...

Web Application Security

What really matters

Confidential 1

Thomas Drews

SE Manager Central & Eastern Europe

Agenda

Confidential 2

What is happening out there?

Are we prepared?

SecureSphere WAF

Incapsula

How does it all come together?

What is happening out there?

Confidential 3

Why is Application Protection needed

Industrialization of Hacking

Hacktivism

What is Hacktivism?

CONFIDENTIAL 6

Hacktivism is the combination of

hacking and activism, often powered

by the use of social media

Drivers: usually political or ethical

Target: Any organization

58% of stolen records in 2011 were due to hacktivism1

1 Verizon Data Breach Investigation Report

Eyewitness Account of a 25-Day Attack

PHASE I

PHASE III

PHASE II

Scanners such as Nikto

Havij SQL injection tool

LOIC application

Business Logic Attack

Technical Attack

Industrialization

Industrialization of Hacking and Automation

Researching Vulnerabilities

Developing Exploits

Growing Botnets

Exploiting Targets

Consuming

Direct Value – i.e. IP, PII, CCN

Command & Control

Malware Distribution

Phishing & spam

Growing Botnets and Exploiting Vulnerabilities

Selecting Targets via Search Engines

Templates & Kits

Centralized Management

Service Model

Roles Optimization Automation

More than Half of Web Visitors are Automated

CONFIDENTIAL 10

Hacker Forum Statistics: Hackers Share Strategies

CONFIDENTIAL 11

DoS/DDoS 19%

SQL Injection 19%

Shell code 16%

Spam 14%

XSS 12%

Brute force 11%

HTML Injection 9%

dos/ddos

SQL Injection

shell code

brute-force

HTML Injection

Automation is Prevailing

In one hacker forum, it was boasted that one hacker had found 5012

websites vulnerable to SQLi through automation tools.

•Due to automation, hackers

can be effective in small

groups – i.e. Lulzsec.

• Automation also means that

attacks are equal opportunity

offenders. They don’t

discriminate between well-

known and unknown sites.

DDoS Attacks Fall into Two Major Categories

Confidential 14

Network Layer DDoS Attacks

• Consume all available upload and

download bandwidth to prevent access

to Web sites

Application Layer DDoS Attacks

• Application requests overwhelm the

Web server or database causing it to

• The Website then becomes unavailable

Legit Traffic

Requests

Web Server

Distributed Denial of Service (DDoS) Threats

DDoS Attack Tool

DDoS Statistics

• 74% of organizations received a

DDoS attack in past year1

• 31% of attacked organizations

suffered service disruption1

Most DDoS attacks are launched by

botnets, because of scale

• Toolkits automate DDoS attacks

• Botnets for rent from $50 - $2K

1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research

Commercialized DDoS

DDoS as a Service

CONFIDENTIAL 16

Commercialized DDoS

Customer satisfaction guaranteed!

CONFIDENTIAL 17

Web Fraud Costs Businesses Millions

Fraudulent payment transactions

• Chargeback fees

New account fraud

• Chargeback fees due to ID theft

• Bots email or post spam

Account login fraud

• Logins with stolen credentials

erodes brand

Man-in-the-Browser attacks

CONFIDENTIAL 19

Fraud Malware

CONFIDENTIAL 20

111,111 Number of unique strains of malware deployed per day

50% Percent of malware designed to compromise credentials

10,000 Malicious new domains deployed per day

Source: Aite Group

Are we prepared?

Confidential 21

Are we safe?

• Router ACLs

• Network Firewalls

• IDS and IPS

• VPNs

• Anti-Virus

What helped get us

secure…

• SQL Injection

• (XSS) Cross-site Scripting

• Remote File Inclusion

• Cross-site Request Forgery

• Business Logic Attacks

• Fraud Malware

isn’t keeping

us secure

Traditional Security Doesn’t Stop Today’s Threats

Why Haven’t We Solved This Problem?

1 2012 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)

In 2012, 94% of all

data breached was

from servers such

as Web and

database servers1

Threat Spend

Yet well over 95% of the $27 billion spent on security products that do not directly address data security2

What does Gartner say?

Confidential 24

“IPS and NGFW were not designed to protect against

Web Application Attacks.

To prevent web application attacks, organizations need

a solution dedicated to that task …”

Download Link: https://www.imperva.com/lg/lgw.asp?pid=505

SecureSphere WAF

Confidential 25

Best in Class on-premise protection for Web

Applications

Production Operation of a WAF

Management

Tuning

• On-boarding Apps

• Mitigating Attacks

• Troubleshooting

• OPEX Costs

Confidential 26

Web Application

Firewall

Management Server (MX)

Web Servers

Web Application

Firewall

Web Servers

Web Application

Firewall

Deployment Flexibility

SecureSphere for AWS

Capabilities

Full SecureSphere WAF

Native support for AWS environment

• Cloud-formation deployment

• Elasticity via auto-scaling

Benefits

Reduced time-to-deploy

Reduced network complexity

Customers pay on as needed basis

(Shift of CapEx to OpEx)

Amazon

servers

Amazon

servers

Scaling Group

Availability Zone 1

Availability Zone 2

By analyzing traffic, SecureSphere automatically learns…

Directories

Parameters Expected user

So it can alert on or block abnormal requests

Dynamic Profiling

1. Globally tracks attack sources

ThreatRadar Servers

Phishing Sites

Anonymous Proxy & TOR

Web Servers

Malicious IPs

3. Blocks malicious sources

2. Distributes feeds to WAF

ThreatRadar Reputation Services

- CONFIDENTIAL - 30

ThreatRadar Fraud Prevention Services

Confidential 31

Policy Based Fraud

Verification

ThreatRadar Community Defenses

Confidential 32

ThreatRadar Community Defense

Gathers live attack data from

SecureSphere WAFs around the world

Distributes attack patterns and

reputation data in near-real time

SecureSphere can import scan results and

instantly create mitigation policies

Eliminated payment processors’ emergency fix

and test cycles

Customer Site

Scanner finds vulnerabilities

SecureSphere imports scan results

Web applications are protected

Virtual Patching Through Scanner Integration

Incapsula

Confidential 34

Best in Class cloud based Protection for Web

Applications

Imperva Incapsula Overview

Confidential 35

By routing Website traffic through Incapsula, bad traffic is removed and

good traffic is accelerated

Imperva Incapsula Overview

Confidential 36

Incapsula is a cloud-based CDN solution which helps Website owners…

Load Balance Sites and Servers

Incapsula’s Global Content Delivery Network

Confidential 37

Datacenters

• Currently 17 PoPs, 3 Scrubbing Centers – 630Gbps+ capacity

USA 9 (Ashville NC, Ashburn VA, Los Angeles, San Jose CA, Chicago, New York, Miami, Seattle, Dallas), London, Singapore, Tel Aviv, Amsterdam, Tokyo, Frankfurt, Sydney, Paris

• Plans for many additional PoP and scrubbing centers

Toronto, San Francisco, Denver, Hong Kong, Sao Paulo, New Zealand and Milan

Data Across Borders

• Customer data can be locked into (or out of) specific countries

DDOS 3rd Party Review Imperva Incapsula #1 2013/14

Confidential 38

Source: http://ddos-protection-services-review.toptenreviews.com/

Web Security & Performance Service 3rd Party Review

Confidential 39

Source: http://website-security-and-performance-review.toptenreviews.com/

New: Fully Featured Load-Balancing Option

Failover to Standby site (DR Scenarios)

• Active/Passive Topology

• Choice of failover decision (e.g. min servers)

• Site failure may be determined by multiple POPs

Layer 7 Load Balancing

• Granular Server LB within a site (e.g. least requests)

• Connection Stickiness option

• Granular server monitoring and alerting

• Support for multiple ISP within a site

• Support for port address translation to preserve IP addressing

Global Server Load Balancing (GSLB)

• Active/Active Topology

• Site failure determined as per DR choices

• Global LB choice (e.g. by area, by fastest response)

• L7 monitoring (e.g. check URL response time and content)

How does it all come together?

Confidential 41

The BIG Picture

SecureSphere Appliance • App DDoS protection

• Incapsula available on demand as

needed

DDoS Attack Protection (Cloud + Premis)

Confidential

Incapsula Service • Always on for cloud users

• Volumetric & application attacks mitigated

• SOC team available for attack analysis & mitigation

SecureSphere WAF

Management Server (MX)

Servers

SecureSphere WAF

Servers

SecureSphere WAF

Web App Security where You need it!

Confidential 43

SecureSphere WAF

Internet

Known Attackers

Web Attacks

Undesirable Countries

Web Fraud

App DDoS

Scrapers

Phishing Sites

Comment Spammers

Vulnerabilities

Web Apps

SecureSphere

Complete Protection Against Web Threats

Questions?

45 Confidential

web application security - netwell ltd moscow web-a… · © 2014 imperva, inc. all rights...

Documents

imperva counterbreach - when ai comes to it security -...

armor protects websites and web applications with imperva...

ds securesphere management solutions -...

imperva waf lab guide -...

introduction to web application firewalls - owasp · pdf...

case study - imperva · case study it services company...

aws imperva securesphere · 2017-02-27 · aws용...

integrating imperva securesphere - eventtracker · 3...

imperva incapsula waf and ddos protection campaign€¦ ·...

imperva securesphere for aws - cyber security leader … ·...

imperva securesphere data security · pdf file1 datasheet...

imperva securesphere data security - … · data security,...

on amazon aws - imperva · securesphere on amazon aws...

imperva securesphere v10.5 amazon aws on demand...

mitigating owasp automated threats - m.tech...

imperva securesphere discovery and assessment...discovery...

imperva securesphere web application firewall · © 2013...

protecting the data that drives business® imperva ... ·...

on amazon aws - imperva · securesphere on amazon aws...

securesphere® appliances - imperva · imperva...