web apps vulnerability management circle how to make …€¦ · web apps vulnerability management...
TRANSCRIPT
![Page 1: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/1.jpg)
Web Apps Vulnerability Management Circle
How to make it simple with Imperva &
Rapid 7 integration"
Bartosz Kryński, Senior Consultant, Clico
12.11.2015
![Page 2: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/2.jpg)
Hackers Exploiting Same Old Vulnerabilities
Confidential2
“99.9%OF THE EXPLOITED
VULNERABILITIES WERE
COMPROMISED MORE THAN
A YEAR AFTER THE CVE
WAS PUBLISHED.”
Source: Verizon 2015 Data Breach Investigation Report
![Page 3: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/3.jpg)
of applications
have vulnerabilitiesSource: Cenzic
![Page 4: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/4.jpg)
90% 60%+of security events
from known bad actors
of website traffic
is non-human Source: Imperva Source: Imperva
![Page 5: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/5.jpg)
What is the vulnerability
management life cycle
![Page 6: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/6.jpg)
Virtual
Patches
![Page 7: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/7.jpg)
… & about the mitigation…
![Page 8: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/8.jpg)
Defenses Required to Protect Web Applications
8
Co
rrela
ted
Att
ack V
ali
dati
on
Vir
tual P
atc
hin
g
DD
oS
Pro
tecti
on
Dynamic Profiling
Attack Signatures
Protocol Validation
Cookie Protection
Fraud Connectors
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
Account Takeover Protection
Technical
Vulnerabilities
Business Logic
Attacks
Accuracy
![Page 9: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/9.jpg)
SecureSphere Correlation Engine
Confidential9
SecureSphere Correlation Engine
Pro
toc
ol V
alid
ati
on
Att
ac
k S
ign
atu
re
Ap
pli
ca
tio
n P
rofi
le
Da
ta L
ea
k P
reve
nti
on
Th
rea
tRa
da
rAccuracy
![Page 10: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/10.jpg)
SecureSphere Correlation Engine
Confidential10
SecureSphere Correlation Engine
Pro
toc
ol V
alid
ati
on
Att
ac
k S
ign
atu
re
Ap
pli
ca
tio
n P
rofi
le
Da
ta L
ea
k P
reve
nti
on
Th
rea
tRa
da
r
EncodingJavaScript
Signature
Length &
Type violation
Cross site scripting attack
![Page 11: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/11.jpg)
Superior Protection Versus Next-Generation Firewalls
OWASP Top 10 (for 2013)
![Page 12: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/12.jpg)
Superior Protection Versus Next-Generation Firewalls
OWASP Top 10 (for 2013)
40% is theoreticalFar less for real-world attacks
![Page 13: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/13.jpg)
Confidential13
Industrialized Hackinggives hackers extreme leverage
![Page 14: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/14.jpg)
ThreatRadar Subscriptions
• ThreatRadar Reputation
• ThreatRadar Bot Protection
• ThreatRadar Account Takeover Protection
Confidential14
![Page 15: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/15.jpg)
More Focused, More Productive Team
Confidential15
Eliminate the “noise” from known bad, and prioritize on truly worrisome
Before After
![Page 16: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/16.jpg)
More Focused, More Productive Team
Confidential16
SecureSphere Correlation Engine
Pro
toc
ol V
alid
ati
on
Att
ac
k S
ign
atu
re
Ap
pli
ca
tio
n P
rofi
le
Da
ta L
ea
k P
reve
nti
on
Th
rea
tRa
da
r
SQLi
suspicion
Request
From TOR
Adds context to correlation
![Page 17: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/17.jpg)
Reduce Infrastructure Costs
Confidential17
10-50%OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
![Page 18: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/18.jpg)
Reduce Infrastructure Costs
Confidential18
10-50%OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
More efficient WAF
Fewer logs entries
Less disc needed
Fewer events to SIEM
![Page 19: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/19.jpg)
Reduce Infrastructure Costs
Confidential19
Spam
Marketing
Spamdexing:
Reputation
Impact
Fraud
DDoS
Manual
Reviews
Malicious
TrafficKeep forms safe
Gain backend efficiencies
![Page 20: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/20.jpg)
ThreatRadar Subscriptions
• ThreatRadar Reputation
• ThreatRadar Bot Protection
• ThreatRadar Account Takeover Protection
Confidential20
![Page 21: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/21.jpg)
Majority of Website traffic from Bots
• Bots generate >60% of website traffic
• Half of this is malicious
• Bots are getting harder to distinguish
Confidential21
![Page 22: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/22.jpg)
Identifying Bots via Classification
Confidential22
1 2a
Inspect Client Challenge Client
IP | Headers | User Agent Cookie Challenge
Human
General Bot
Unknown
Known good bot
Known bad bot
Whitelisted bot
2b
JavaScript Challenge
2c
CAPTCHA Challenge
Human
General Bot
CAPTCHA: Further confidence it is a human
• CAPTCHA insertion optionso Login event
o Activity-based (controlled availability)
• Regular Web Custom Policy enforcement
![Page 23: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/23.jpg)
Apply SecureSphere Policy Based Upon Classification
Confidential23
1 2a
Inspect Client Challenge Client
IP | Headers | User Agent Cookie Challenge
Human
General Bot
Unknown
Known good bot
Known bad bot
Whitelisted bot
2b
JavaScript Challenge
2c
CAPTCHA Challenge
Human
General Bot
![Page 24: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/24.jpg)
ThreatRadar Subscriptions
• ThreatRadar Reputation
• ThreatRadar Bot Protection
• ThreatRadar Account Takeover Protection
Confidential24
![Page 25: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/25.jpg)
25
Source: Verizon 2015 DBIR
50%Of successful web attacks
involve stolen credentials
![Page 26: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/26.jpg)
Anatomy of Account Takeover Attack
26
HARVEST CREDENTIALS
Hacker
stolen
credentials
TEST CREDENTIALS
Botnet
Control
Server
Joe
Mary
Elvis
xxxxx
xxxxx
xxxxx
GAIN ACCESS
Web Servers
new
MITB/
Phishing
STEAL ASSETS
Assets
Medical
Records
Intellectual
Property
Banking
Financial
![Page 27: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/27.jpg)
Detecting Account TakeoverUsing Device Intelligence
www.webstore.com
ThreatRadar
Low-Risk (AUDIT) = Device (w/ prior fraud) attempts to login
Med-Risk (ALERT) = Device (w/ prior fraud) + Device (associated multiple accounts)
High-Risk (BLOCK) = Device (w/ prior fraud) + Device (associated w/ multiple accounts) + (TR known bot client)
WAF MITIGATION RULES:
Device Profiling1
identification1
Device Risk Evaluation
Returns device
risk score
2
Device Risk Score = Low/Medium/High
reputation
association
evasion
2
3 WAF Mitigation Rules
Correlates device
Risk-score with
other TR services
To audit/alert/block
3
![Page 28: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/28.jpg)
Globally Crowd-sourced
Confidential29
Malicious IPsPhishing URLs
Anonymous Proxy
ToR IPs
Comment Spam IPs
RFIIP Forensics
SQLi IPs
Scanner IPs
Scraping BOTS
Credit Card Cycling
Registration BOTS
The Power of Community>75% of attacks come from same sources
![Page 29: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/29.jpg)
Lets get back to web apps
vulnerabilities
![Page 30: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/30.jpg)
APPLICATION ASSESSMENT
FOR THE MODERN WORLD
![Page 31: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/31.jpg)
• Vulnerability responses are not consistent
‒ Custom error pages can lead to false positives
• Requires advanced heuristics
‒ Suppress false positives
‒ Avoid false negatives
‒ Difficult balance, made easier with better logic
• False Positive Costs
‒ Time to investigate
‒ Reputational impact to security team/MSSP
• False Negative Costs
‒ Still exposed
‒ Fewer findings reduces perception of value
• Web Evolving Rapidly
Know Your Weak Points
![Page 32: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/32.jpg)
• Auditors rarely know the application very well
• Auditors have limited amount of time to spend training the scanners to each application
• Auditors time better spent on attacks only humans can do
• Dependence on Auditors to be able to train the scanner to every area of the application is a failed
assumption
• Dependence on Training: Failed Option
Know Your Weak Points
![Page 33: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/33.jpg)
34
Application Assessment for the Modern World
Know your
weak points
Prioritize what
matters most
Improve your
position
![Page 34: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/34.jpg)
• Scanner paradigm shift
‒ No longer just “HTML based” applications
‒ Today’s applications are dynamic & complex
Rich clients – AJAX/Flash/Flex/Silverlight
Mobile clients - Communicate over HTTP to backend
services
• Requires a paradigm shift in scanning
technologies
‒ Must handle Web 2.0, Mobile, and Web Services
‒ Must evolve to test new formats and structures
‒ JSON, REST, AMF, GWT-RPC, SOAP, XML-RPC,
etc…
• The changing landscape
Know Your Weak Points
![Page 35: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/35.jpg)
• The Widening Coverage Gap
Know Your Weak Points
EX
PO
SU
RE
GA
P
Other Testing Tools
AppSpider
covers more
application
technologies
than any
other WAS.
Static
Pages
Web 2.0
(AJAX)
Web 3.0 & Mobile
(JSON, REST,
AMF, SOAP)
Application
Frameworks
JavaScript
CGI
![Page 36: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/36.jpg)
• How long does it take for website vulnerabilities to get fixed
(Window of Exposure).
• Security Statistics Report Winter 2011
Improve Your Position
From: Whitehat’s 2012 Report
![Page 37: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/37.jpg)
• Automate WAF/IPS Virtual Patching
Improve Your Position
38
WAF
Effective custom virtual patch
WAF knowledge + App knowledge
Patch
WAF
Ineffective virtual patch
Turn on default WAF rule
Patch
competition
“[AppSpider’s]
generated rules are
at least 39% more
effective than the
WAF/IPS default
rules.”
Application Security
Consultant Larry
Suto.
![Page 38: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/38.jpg)
• Defensive Workflow
Improve Your Position
Import AppSpider discovered vulnerabilities into AppSpider Defend
Select vulns to protect against
Generate filters & upload them into WAF\IPS
Run AppSpider Defend QuickScan to verify effectiveness
![Page 39: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/39.jpg)
![Page 40: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/40.jpg)
Summary
Confidential41
![Page 41: Web Apps Vulnerability Management Circle How to make …€¦ · Web Apps Vulnerability Management Circle How to make it simple with Imperva & ... •Integration between R7 & Imperva](https://reader034.vdocuments.us/reader034/viewer/2022052305/5ada800c7f8b9a52528cebc3/html5/thumbnails/41.jpg)
• Generates rules/filters for Web Application Firewall (WAF)
• Improve effectiveness of Web Apps security tools
‒ Rapid remediation of web vulnerability without modifying source code
‒ Avoids tedious manual filter creation
‒ Creates pinpoint specific rules/filters for your application
• Input from AppSpider saves time and effort
‒ Rapid rule generation & easy installation
‒ Security teams can handle installation
‒ Gives developers time to update the code for the proper solution
‒ Fast path to PCI compliance
• Integration between R7 & Imperva SecureSphere WAF
Improve Your Position