web application security - netwell ltd moscow web-a… · © 2014 imperva, inc. all rights...

© 2014 Imperva, Inc. All rights reserved.

Web Application Security

What really matters

Confidential 1

Thomas Drews

SE Manager Central & Eastern Europe


Agenda

Confidential 2

What is happening out there?

Are we prepared?

SecureSphere WAF

Incapsula

How does it all come together?


What is happening out there?

Confidential 3

Why is Application Protection needed


Industrialization of Hacking

Fraud

Hacktivism

DDoS

© 2014 Imperva, Inc. All rights reserved. Confidential 5

Hacktivism


What is Hacktivism?

CONFIDENTIAL 6

Hacktivism is the combination of

hacking and activism, often powered

by the use of social media

Drivers: usually political or ethical

Target: Any organization

58% of stolen records in 2011 were due to hacktivism1

1 Verizon Data Breach Investigation Report


Eyewitness Account of a 25-Day Attack

PHASE I

PHASE III

PHASE II

Scanners such as Nikto

Havij SQL injection tool

LOIC application

Business Logic Attack

Technical Attack

Technical Attack

© Copyright 2012 Imperva, Inc. All rights reserved. 7


Industrialization


Industrialization of Hacking and Automation

9

Researching Vulnerabilities

Developing Exploits

Growing Botnets

Exploiting Targets

Consuming

Direct Value – i.e. IP, PII, CCN

Command & Control

Malware Distribution

Phishing & spam

DDoS

Growing Botnets and Exploiting Vulnerabilities

Selecting Targets via Search Engines

Templates & Kits

Centralized Management

Service Model

Roles Optimization Automation


More than Half of Web Visitors are Automated

CONFIDENTIAL 10


Hacker Forum Statistics: Hackers Share Strategies

CONFIDENTIAL 11

DoS/DDoS 19%

SQL Injection 19%

Shell code 16%

Spam 14%

XSS 12%

Brute force 11%

HTML Injection 9%

dos/ddos

SQL Injection

shell code

spam

XSS

brute-force

HTML Injection


Automation is Prevailing

In one hacker forum, it was boasted that one hacker had found 5012

websites vulnerable to SQLi through automation tools.

Note:

•Due to automation, hackers

can be effective in small

groups – i.e. Lulzsec.

• Automation also means that

attacks are equal opportunity

offenders. They don’t

discriminate between well-

known and unknown sites.


DDoS


DDoS Attacks Fall into Two Major Categories

Confidential 14

Network Layer DDoS Attacks

• Consume all available upload and

download bandwidth to prevent access

to Web sites

Application Layer DDoS Attacks

• Application requests overwhelm the

Web server or database causing it to

crash

• The Website then becomes unavailable

Legit Traffic

Web

Requests

Web Server


Distributed Denial of Service (DDoS) Threats

DDoS Attack Tool

DDoS Statistics

• 74% of organizations received a

DDoS attack in past year1

• 31% of attacked organizations

suffered service disruption1

Most DDoS attacks are launched by

botnets, because of scale

• Toolkits automate DDoS attacks

• Botnets for rent from $50 - $2K

1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research


Commercialized DDoS

DDoS as a Service

CONFIDENTIAL 16


Commercialized DDoS

Customer satisfaction guaranteed!

CONFIDENTIAL 17


Web Fraud Costs Businesses Millions

Fraudulent payment transactions

• Chargeback fees

New account fraud

• Chargeback fees due to ID theft

• Bots email or post spam

Account login fraud

• Logins with stolen credentials

erodes brand

Man-in-the-Browser attacks

CONFIDENTIAL 19


Fraud Malware

CONFIDENTIAL 20

111,111 Number of unique strains of malware deployed per day

50% Percent of malware designed to compromise credentials

10,000 Malicious new domains deployed per day

Source: Aite Group


Are we prepared?

Confidential 21

Are we safe?


• Router ACLs

• Network Firewalls

• IDS and IPS

• VPNs

• Anti-Virus

What helped get us

secure…

• SQL Injection

• (XSS) Cross-site Scripting

• Remote File Inclusion

• Cross-site Request Forgery

• Business Logic Attacks

• Fraud Malware

isn’t keeping

us secure

Traditional Security Doesn’t Stop Today’s Threats


0%

20%

40%

60%

80%

100%

Why Haven’t We Solved This Problem?

1 2012 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)

23

In 2012, 94% of all

data breached was

from servers such

as Web and

database servers1

”

Threat Spend

Yet well over 95% of the $27 billion spent on security products that do not directly address data security2


What does Gartner say?

Confidential 24

“IPS and NGFW were not designed to protect against

Web Application Attacks.

To prevent web application attacks, organizations need

a solution dedicated to that task …”

Download Link: https://www.imperva.com/lg/lgw.asp?pid=505


SecureSphere WAF

Confidential 25

Best in Class on-premise protection for Web

Applications


Production Operation of a WAF

Management

Tuning

• On-boarding Apps

• Mitigating Attacks

• Troubleshooting

• OPEX Costs

Confidential 26


Web Application

Firewall

Management Server (MX)

Users

Web Servers

Web Servers

Web Application

Firewall

Web Servers

Web Application

Firewall

Deployment Flexibility

© Copyright 2012 Imperva, Inc. All rights reserved. 27 - CONFIDENTIAL - 27


SecureSphere for AWS

28

Capabilities

Full SecureSphere WAF

Native support for AWS environment

• Cloud-formation deployment

• Elasticity via auto-scaling

Benefits

Reduced time-to-deploy

Reduced network complexity

Customers pay on as needed basis

(Shift of CapEx to OpEx)

Amazon

ELB

Amazon

ELB

Web

servers

Amazon

ELB

Web

servers

Scaling Group

Availability Zone 1

Availability Zone 2


By analyzing traffic, SecureSphere automatically learns…

Directories

URLs

Parameters Expected user

input

So it can alert on or block abnormal requests

Dynamic Profiling



1. Globally tracks attack sources

ThreatRadar Servers

Phishing Sites

Anonymous Proxy & TOR

Web Servers

Malicious IPs

3. Blocks malicious sources

2. Distributes feeds to WAF

ThreatRadar Reputation Services

- CONFIDENTIAL - 30


ThreatRadar Fraud Prevention Services

Confidential 31

Policy Based Fraud

Verification


ThreatRadar Community Defenses

Confidential 32

ThreatRadar Community Defense

Gathers live attack data from

SecureSphere WAFs around the world

Distributes attack patterns and

reputation data in near-real time


SecureSphere can import scan results and

instantly create mitigation policies

Eliminated payment processors’ emergency fix

and test cycles

Customer Site

Scanner finds vulnerabilities

SecureSphere imports scan results

Web applications are protected

Virtual Patching Through Scanner Integration


http://welcome.hp.com/country/us/en/welcome.html

http://www.ibm.com/us/en/

http://www.whitehatsec.com/home/abt/abt.html


Incapsula

Confidential 34

Best in Class cloud based Protection for Web

Applications


Imperva Incapsula Overview

Confidential 35

By routing Website traffic through Incapsula, bad traffic is removed and

good traffic is accelerated


Imperva Incapsula Overview

Confidential 36

Incapsula is a cloud-based CDN solution which helps Website owners…

Load Balance Sites and Servers


Incapsula’s Global Content Delivery Network

Confidential 37

Datacenters

• Currently 17 PoPs, 3 Scrubbing Centers – 630Gbps+ capacity

USA 9 (Ashville NC, Ashburn VA, Los Angeles, San Jose CA, Chicago, New York, Miami, Seattle, Dallas), London, Singapore, Tel Aviv, Amsterdam, Tokyo, Frankfurt, Sydney, Paris

• Plans for many additional PoP and scrubbing centers

Toronto, San Francisco, Denver, Hong Kong, Sao Paulo, New Zealand and Milan

Data Across Borders

• Customer data can be locked into (or out of) specific countries


DDOS 3rd Party Review Imperva Incapsula #1 2013/14

Confidential 38

Source: http://ddos-protection-services-review.toptenreviews.com/


Web Security & Performance Service 3rd Party Review

Confidential 39

Source: http://website-security-and-performance-review.toptenreviews.com/


New: Fully Featured Load-Balancing Option

Failover to Standby site (DR Scenarios)

• Active/Passive Topology

• Choice of failover decision (e.g. min servers)

• Site failure may be determined by multiple POPs

Layer 7 Load Balancing

• Granular Server LB within a site (e.g. least requests)

• Connection Stickiness option

• Granular server monitoring and alerting

• Support for multiple ISP within a site

• Support for port address translation to preserve IP addressing

Global Server Load Balancing (GSLB)

• Active/Active Topology

• Site failure determined as per DR choices

• Global LB choice (e.g. by area, by fastest response)

• L7 monitoring (e.g. check URL response time and content)


How does it all come together?

Confidential 41

The BIG Picture


SecureSphere Appliance • App DDoS protection

• Incapsula available on demand as

needed

DDoS Attack Protection (Cloud + Premis)

Confidential

ISP

ISP

ISP

ISP

Incapsula Service • Always on for cloud users

• Volumetric & application attacks mitigated

• SOC team available for attack analysis & mitigation

42


SecureSphere WAF

Management Server (MX)

Web

Servers

Web

Servers

SecureSphere WAF

Web

Servers

SecureSphere WAF

Web App Security where You need it!

Confidential 43

SecureSphere WAF

Internet


Known Attackers

Bots

Web Attacks

Undesirable Countries

Web Fraud

App DDoS

Scrapers

Phishing Sites

Comment Spammers

Vulnerabilities

Web Apps

SecureSphere

Complete Protection Against Web Threats



Questions?

45 Confidential

web application security - netwell ltd moscow web-a… · © 2014 imperva, inc. all rights...

Documents