For many of today’s businesses, web applications are their lifeline. The growing complexity involved in keeping these applications fast, secure, and available can be seen as a byproduct of shifts in how these apps are developed, deployed, and attacked. This discussion will explore how high level trends in today’s web environments and the cyber attack landscape are shaping tomorrow’s application security solutions.
Key Takeaways:
- Trends in contemporary web applications that are forcing security evolution
- How today’s cyber attack landscape impacts cybersecurity
- What modern IT security solutions look like
- Distil Networks Overview
3. A brief look at previous evolution in IT security
Key trends in app development
The impact of these trends
The potential future of IT security solutions
Agenda
4. The Evolution of IT Security
Endpoint Security Network Security Application Security
Blocking threats
targeting devices
Blocking threats
trying to access
networks
Blocking threats
using targeting web
applications
5. The Proliferation of Web APIs
The rise of API driven development is making web
APIs more common than ever
API
App Data
Provisioning
Configuration
Reporting
Integration
Social Media
Mobile app
6. Web APIs need to be included in Security Strategy
API Security can prevent
Malicious and unacceptable API usage
API developer errors from running wild
Automated API scraping from stealing content
7. Bad guys get more tools to leverage when building attacks and bad bots
Web Browsers are Becoming More Complex
The Evolution of the Web
Browser versions and their Technologies
Source: http://www.evolutionoftheweb.com
8. Advanced bots use browser capabilities to evade detection and mimic
human behavior
The Impact of Modern Browsers on Security
Bad Bot Sophistication levels, 2014
9. Leverage Tools Capable of Detecting Advanced Bots
Traditional security solutions (FW, IPS, WAF, etc.) typically lack the proper client
visibility necessary to effectively identify advanced bots
Identifying advanced bots and browser
automation requires specialized techniques
Approaches to Detecting Bots, by Tier
10. Modern applications are geographically distributed with data centers wherever
customer bases are concentrated
Deployments leverage multiple types infrastructure (clouds, on-prem, hybrid, multi-
cloud, etc.)
Architectures are Increasingly Distributed
11. Flexible deployment options enable complete coverage of diverse web estates
Protection should be standardized across
all deployments and infrastructure
Security precautions must to be interconnected
to share data, not siloed or isolated
Defenses Need to be Interconnected and Versatile
12. Web applications include a wide variety of
frameworks, 3rd party code bases, and plug-ins
Each code base adds potential vulnerabilities into
your application
Not all software vendors have the same security
controls
Diversity and Complexity of Application Stacks
13. Assume your application stack is vulnerable
Patch. Patch. Patch.
Minimize the use of 3rd party code
Do not allow unauthorized vulnerability
scans
Protecting your Stack from Penetration
14. In a post Snowden world, roughly 9% of Americans have adopted sophisticated steps to
shield their information* such as:
○ Using a TOR network
○ Using a proxy server
○ Using a VPN to obscure origin IP Addresses
Attackers also obfuscate traffic sources with IP Spoofing
or using large pools of globally distributed origin IPs
Anonymous Traffic Sources Becoming More Commonplace
Source: *Americans’ Attitudes About Privacy, Security and Surveillance, Pew Research Center, 2015
15. IP Blocking not effective when dealing with modern threats
Device fingerprinting provides distinct advantages like
○ Tracking attackers across IP addresses
○ Detecting bots through anonymous proxy networks
○ Reducing false positives associated with
humans anonymizing themselves
Advanced Fingerprinting Replacing IP Blocking
16. Seemingly legitimate IPs and user agents may be imposter bots
Access Control Lists (ACLs) are no longer useful because attackers regularly
change IP addresses
Manually updating white/black lists to keep up is tedious and short lived
Access Control Lists have become too Reactive
Whitelist
Blacklist
Everything Else?
17. Community sourced attack data aggregation provides more accurate data
source for enforcement
Machine learning and self configuration greatly
reduced security maintenance overhead
Community Sourced Intelligence Improves Accuracy
18. Mobile users now outnumber desktop
users
Mobile clients are now being used to
launch attacks
Mobile sites tend to be easier to
scrape
○ Less superfluous content
○ Highly structured and easy to
navigate layouts
Mobile Growth Brings With it Mobile Threats
Source: Comscore, The US Mobile App report
19. Mobile Bots Arrive in Droves
Bad Bot Self-Reported Browser, 2014 Actual Browser Usage, 2014
20. Worst Offending Mobile Carriers, Beware of China
Bad Bot Traffic as Percent of Overall
Traffic, U.S., China and Rest of World
21. Precautions should be implemented to extend security strategies to cover mobile
websites
Mobile clients need to be subjected to the same scrutiny as other users
Mobile Should not be Overlooked
22. Increasing amounts of data exist in the cloud and with cloud service providers
What is their data retention policy?
What controls are placed around this data?
Is your web app being exploited to access it?
Proliferation of Data in the Cloud Poses a Security Risk
23. Avoid storing excessive sensitive data in the cloud
Understand how your cloud service vendors work
Use strong passwords
Encrypt data
Don’t let bots scrape your database
Keeping Data in the Cloud Safe
24. The Ashley Madison breach released 32 million
log-in credentials into the wild
Account takeover and transaction fraud have
significantly increased
Lost or stolen credentials were already the top
cause of data breaches since 2010
Online Fraud Boosted by Ashley Madison Breach
Source: VBIR 2105
25. Bots are typically employed to try password combinations at other sites looking for
valid combos
Implement tools or application code which can rate-limit login attempts
Fingerprinting can be used to correlate login attempts using multiple IPs
Prevent Brute Force Password Attempts
26. Recapping the Trends and Security Implications
Trends IT Security Implications
API centric development API security
Complexity of browsers Protection from advanced bots and browser automation
Distributed environments Interconnected tools, deployment flexibility
Complexity of application stacks Patching and blocking reconnaissance attacks
Anonymous browsing Device fingerprinting
Access control lists too reactive Community source data feeds, self tuning
Mobile growth Mobile client screening and mobile site security
Data in the cloud Retention policies, encryption, scaping protection
Fraud on the rise Brute force account takeover protection
27. The First Easy and Accurate Way to Defend
Websites Against Malicious Bots
About Distil Networks
28. The World’s Most Accurate Bot Detection System
Inline Fingerprinting
Fingerprints stick to the bot even if it attempts to
reconnect from random IP addresses or hide behind an
anonymous proxy.
Known Violators Database
Real-time updates from the world’s largest Known
Violators Database, which is based on the collective
intelligence of all Distil-protected sites.
Browser Validation
The first solution to disallow browser spoofing by
validating each incoming request as self-reported and
detects all known browser automation tools.
Behavioral Modeling and Machine Learning
Machine-learning algorithms pinpoint behavioral
anomalies specific to your site’s unique traffic patterns.
29. How Companies Benefit from Distil
Increase insight & control
over human, good bot &
bad bot traffic
Block 99.9% of
malicious bots without
impacting legitimate
users
Slash the high tax bots
place on internal teams
& web infrastructure
Protect data from web
scrapers, unauthorized
aggregators & hackers
Security has evolved alongside technological advances since the dawn of computing.
The first wave was endpoint security with companies like Symantec, McAfee, etc.
The second major wave of innovation in IT security was Network security which brought with it companies like Checkpoint, Cisco, Palo Alto Networks.
The Third wave was companies looking to protect applications by inspecting HTTP traffic. This includes companies like Imperva, Akamai, F5, etc.
This presentation will explore some trends in IT security which may shape what the future of IT security may hold.
The first trend we’ll discuss is an API Centric approach to application development.
Many modern apps are more like a shell or UI layer to which content is piped over an API.
They also make heavy use of APIs to connect to external solutions for automation.
Although APIs are more prevalent than they used to be, they many not have the same level of security as the applications themselves.
API Security should be part of every corporation’s security strategy. It can prevent several major security and performance issues (listed on the slide).
The graph is showing an increase in features of various browsers over time. The important thing to note is how much new tech has been coming out recently. This gives hackers ample tools to create really advanced bots and automated attacks which can perform a wide variety of attacks such as Session hijacking, click fraud and other.
It also makes these bots harder to identify.
Taking a look at the data from our bot report we can see that almost 1 in 4 bad bots has reached the level of “sophisticated” and that as much as 41% are able to mimic human behavior.
How do we protect against this? Traditional security isn’t cutting it because it was not designed to deal with this problem. Most WAFs are designed specifically to protect against threats like the OWASP top 10 and do so with a rules based approach. Advanced bots on the other hand, fly under the radar of these tools because they appear to be human and are not performing attacks which trigger Web app attack rulesets. Identifying these bots requires using a variety of approaches, that become more advanced as the bots become more sophisticated.
Infrastructures are becoming more distributed. Applications sometimes run on multiple platforms, deployed in clouds, on-premise, in multiples or some combination thereof.
Applications are also architectured to handle traffic from anywhere on the globe, which typically results in multiple data centers or cloud availability zones selected to cater to concentrations of users.
Due to the distributed nature of application deployment, there are extra requirements put on security vendors to be effective. They must be flexible to cover any type of deployment a customer may have, such that all deployments or instances are able to share the same security benefits.
Additionally, this security needs to communicate amongst itself, instead of being siloed at each deployment or installation site.
Tools that should work with multiple kinds of deployment environments.
Rami: As you can see from the data about mobile bad bot traffic, you’re going to want to protect your mobile site.
Craig: Why the increase in bad bot mobile traffic?
One reason is that mobile sites are easier to scrape. The same characteristics that make a mobile optimized site easy to quickly navigate for humans also makes them prime targets for bad bots. Mobile sites tend to be easier to scrape because they provide more structured access to website data.
Rami: 2014 is the first year that bots masking themselves as mobile web users arrived in droves. The Android Webkit Browser, at 4.87%, entered into the Top 5 list of user agents leveraged by bad bots to hide their identities. We hadn’t see that before.
Craig: Why the surge in mobile bots?
Rami:
Craig: It looks like Firefox was the most reported browser by bad bots, yet Chrome is the clear winner a among human users. Similarly, it looks like IE is used twice as much by bots as by humans. Why?
Rami:
Rami: Overall, mobile bot traffic from U.S. mobile carriers (as a percentage of their overall traffic) was roughly on par with the rest of the world during 2014. The real outlier was China with over 30% bad bot traffic.
Craig: Why is China so high?
Rami: This is due in large part because very few of websites out outside of China cater to the Chinese market. So, traffic that hits their origin servers from China has a higher propensity to be bad bot traffic.
(AT&T example - phone number and zip code to obtain cust data)
Dont’ put unneccesary info into the cloud
Make sure to talk with your vendors, read their terms of service, understand their security controls
Use strong passwords on your accounts
encrypt your data. Work with vendors who support encryption
Block bots so they cannot scrape your database. (Insert AT&T example here)
Make sure that the web application is secure so the data cant be pulled from that
Lock down data from export, harvesting, even for authorized users
According to the 2011 to 2015 Verizon Breach Investigation Reports, Lost or Stolen credentials has been the #1 cause of data breaches. 2015 is likely to continue this trend due to Ashley Madison.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
You can remove that graph if you’d like.