securesphere threatradar: improve security team productivity and focus

© 2015 Imperva, Inc. All rights reserved.

SecureSphere ThreatRadar Improve Security Team Productivity and Focus Pravin Rasiah, Sr. Product Manager, Web Application Security, Imperva Morgan Gerhart, VP Product Marketing, Imperva


Speakers

Confidential 2

Pravin Rasiah Senior Product Manager

Morgan Gerhart VP, Product Marketing


Hackers Exploiting Same Old Vulnerabilities

Confidential 3

Source: Verizon 2015 Data Breach Investigation Report


Hackers Exploiting Same Old Vulnerabilities

Confidential 4

“99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”

Source: Verizon 2015 Data Breach Investigation Report

Confidential 5

96% of applications

have vulnerabilities Source: Cenzic

6 Confidential

Confidential 7

Industrialized Hacking gives hackers extreme leverage

90% of security events

from known bad actors Source: Imperva

90% 60%+ of security events

from known bad actors of website traffic

is non-human Source: Imperva Source: Imperva


Example 1: Global Financial Services Firm

•  Suspected it had a known bad traffic problem –  Some visibility from feeds from other vendors –  Way too much chaff/noise –  No visibility into how this traffic was impacting apps –  Only detection, no protection

Confidential 10


Example 2: SaaS Provider

•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most from script kiddies, malware sources and maliscious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

Confidential 11


SecureSphere ThreatRadar

Confidential 12

•  Global Threat Intelligence Service

•  Globally crowdsourced

•  Curated by Imperva ADC

•  Adds “gods-eye” context of threat landscape to WAF


SecureSphere ThreatRadar

Confidential 13

More productive, more focused security engineering team

Cut infrastructure costs Demonstrate better

security posture




Confidential 14




•  ThreatRadar showed known bad was several times worse than suspected –  12 million events in last 6 months, 11 million filtered by ThreatRadar –  Geographic reputation spotlighting potential state-funded/state-sponsored actors

•  Today –  90-95% of protections utilize ThreatRadar –  Business trusts SecureSphere (not worried about false positives/blocking legit traffic) –  Less network traffic (behind the WAF, of course)

Confidential 15



•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most from script kiddies, malware sources and maliscious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

Confidential 16



•  Security team overwhelmed by web events –  6 million per hour –  Knew many/most security events from script kiddies, malware sources and malicious IPs –  But unable to filter, focus and prioritize noise from the truly worrisome

•  ThreatRadar showed –  10-30% of traffic was from known bad sources –  80-90% of security alerts associated with traffic from known bad

•  Today –  Filter and ignore the 80-90% that is known bad –  Prioritize and focus on what is left – “that’s the really worrisome stuff” –  Noticed some actors have “given up”

Confidential 17


More Focused, More Productive Team

Confidential 18

Eliminate the “noise” from known bad, and prioritize on truly worrisome

Before



Confidential 19

Eliminate the “noise” from known bad, and prioritize on truly worrisome

Before After



Confidential 20

Suspicious SQL Syntax


More Focused, More Product Team

Confidential 21


vs.

Suspicious SQL Syntax + Know SQLi IP


More Focused, More Product Team

Confidential 22


vs.

Suspicious SQL Syntax + Know SQLi IP

Increased WAF Accuracy


Reduce Infrastructure Costs

Confidential 23

Spam Marketing

Spamdexing: Reputation

Impact

Fraud

DDoS

Manual Reviews

Malicious Traffic



Confidential 24

Spam Marketing

Spamdexing: Reputation

Impact

Fraud

DDoS

Manual Reviews

Malicious Traffic Keep Forms Safe

Gain Backend Efficiencies



Confidential 25

10-50% OF WEBSITE TRAFFIC FROM

KNOWN BAD ACTORS



Confidential 26


KNOWN BAD ACTORS



Confidential 27


KNOWN BAD ACTORS



Confidential 28


KNOWN BAD ACTORS

More efficient WAF Fewer logs entries Less disc needed

Fewer events to SIEM


Globally Crowdsourced

Confidential 29

Malicious IPs Phishing URLs

Anonymous Proxy

ToR IPs

Comment Spam IPs

RFI IP Forensics

SQLi IPs

Scanner IPs

Scraping BOTS

Credit Card Cycling

Registration BOTS


Demonstrate Better Security Posture

•  Who’s on your network?

•  Who’s trying to get on your network?

•  Where are they coming from?

•  How are they attacking?

•  How effectively are you mitigating “known bad”?

Confidential 31

securesphere threatradar: improve security team productivity and focus

Technology