Hoy por hoy el tráfico que llega a las aplicaciones web de las compañías en su mayoría es tráfico SSL con lo cual tenemos diferentes opciones para abordar la problemática de visibilidad y control del tráfico cifrado; confiar en todo el tráfico SSL y dejarlo pasar sin inspeccionar o incrementar la capacidad de los dispositivos de seguridad. ¿Qué camino tomar?
No menos importante, son todos aquellos ataques que llegan a las aplicaciones Core de la compañía de actores que buscan poner en riesgo la integridad, disponibilidad y seguridad de la misma como por ejemplo Bots y ataques de DDoS.
¿Se encuentra usted protegido contra amenazas avanzadas?
20. Shared Responsibility Model IaaS
Cloud vendors leave layer 4-7 services to the cloud customer
Runtime
Middleware
Operating System
Physical Servers
Storage
Customer’s
Responsibility
Cloud Vendor
Responsibility
Data
Virtualization
Public Cloud Infrastructure (IaaS/PaaS/SaaS)
Applications
Microsoft Azure
Amazon Web
Services
Google Cloud
Platform
Networking Functions
21. Shared Responsibility Model PaaS
Cloud vendors leave layer 4-7 services to the cloud customer
Runtime
Middleware
Operating System
Physical Servers
Storage
Customer’s
Responsibility
Cloud Vendor
Responsibility
Data
Virtualization
Public Cloud Infrastructure (IaaS/PaaS/SaaS)
Applications
Microsoft Azure
Amazon Web
Services
Google Cloud
Platform
Networking Functions
22. Shared Responsibility Model SaaS
Cloud vendors leave layer 4-7 services to the cloud customer
Runtime
Middleware
Operating System
Physical Servers
Storage
Customer’s
Responsibility
Cloud Vendor
Responsibility
Data
Virtualization
Public Cloud Infrastructure (IaaS/PaaS/SaaS)
Applications
Microsoft Azure
Amazon Web
Services
Google Cloud
Platform
Networking Functions
23. How Do You Protect Apps?
Active attacks
Vulnerabilities
Risk and address
compliance
#ProtectionPeru2019
25. Web App Firewalls
WAF
Protect against application attacks, mitigate application
vulnerabilities, and prevent data leakage
Inspects traffic to block known bad traffic and allow legitimate traffic
26. Web App Firewalls
WAF
Injection
Attacks
Cross Site
Scripting
Known App
Vulnerabilities
Payment Card
Information
Customer
Information
Critical
Apps
On-premises Cloud-based As-a-service
27. WAF
Technology
Here’s the
good news.
Can be an alternative
to code review.
Offers protection
against app attacks.
Fixes vulnerabilities
promptly without
maintenance windows.
Doesn’t require
access to source
code or developers.
Provides
coverage for
OWASP Top 10.
#ProtectionPeru2019
30. But we still have
quite a lot of
exposure—not
counting DDoS,
IP theft, fraud
and more… 3%
11%
33%
53%
Other (VPN, PoS,
infra.)
Physical
User / Identity
Web App Attacks
33. …have a public facing web property?
…have a high-sensitivity web property?
…contend with bots and unwanted automation?
…have compliance obligations?
…have difficult to upgrade software stacks?
…have legacy web applications?
…need zero day breathing room?
…want to reduce your development time-to-market?
Do you…
34. If you answered YES
to any of the above…
WAF
might be for you!
#ProtectionPeru2019
36. What is the OWASP Top 10?
A broad consensus on the most critical
web application security flaws
#ProtectionPeru2019
37. Application Security Not Addressed by Traditional
Firewalls
BIG-IP WAF delivers comprehensive protection against critical web attacks
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter
tamperingSQL injections
information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection Malformed headers
Bots Business logic flaws
38. WAF Learning Mode
Dynamic Web Application Firewall
Request made
WAF security policy
learns from request
Request load-
balanced to server
WAF security policy
learns from response
Application
responds
Devices
Response delivered
BIG-IP Platform
1.2.3.4
Data Center
Hypervisor
Virtual
Physical
Private/Public
Cloud
/images/banner.jpg
/images/logo.gif
/css/default.css
/app/app.php
/index.html
File Types
/images/banner.jpg
/images/logo.gif
/css/default.css
/app/app.php
/index.html
URLs
/app/app.php?name=value
/app/app.php?a=1&b=2
/app/app.php?user=bloggsj
/app/app.php?browser=safari
Parameters
Cookie: name=value
Cookie: JSESSIONID=1A5306372...
Cookie: price=399;total=1399
Cookies
39. WAF Blocking Mode
Dynamic Web Application Firewall
• Protection from DoS/DDoS attacks and web application security risks
• Enforce positive and/or negative security policies, protocol compliance
• DataGuard data-scrubbing/DLP/compliance
• Vulnerability assessment service integration
• IP Intelligence malicious client classification and blocking
• Application logging and reporting
Request made
BIG-IP WAF security
policy checked
Request load-
balanced to server
DLP scrubbing &
application cloaking
Vulnerable
application
responds
Devices
Secure response
delivered
BIG-IP Platform
1.2.3.4
Data Center
Hypervisor
Virtual
Physical
Private/Public
Cloud
Malicious request
detected.Request blocked
MyBank
Banking & Investments
Query: SELECT UserID, CreditCard from database where UserID=‘bloggsj’
Results:
+----+----------+---------------------+
| ID | UserID | CreditCard |
+----+----------+---------------------+
| 1 | bloggsj | **** **** **** **** |
| 2 | bloggsj | **** **** **** **** |
+----+----------+---------------------+
42. Victim
Web App
Attacker Dropzone
ADC
The malware also sends
the content to the drop
zone in free text
Advanced WAF Application Layer Encryption
The user requests a
logon page
The user enters the
credentials
Attacker infects the
victim device with
malware
Login form triggers
malware
bobsmith
*************T0ughPassw0rd
The data in-use can be
stolen by malware
The login data is
encrypted with TLS and
sent to the server
T0ughPassw0rd
43. Victim The device is already
infected with malware
Application Layer
Encryption
Web App
FPS uses the private key to
decrypt the password field
The hacker is unable to
decrypt and therefore
unable to use the content
Attacker Dropzone
43
ADC
The malware sends the
content to the drop zone
Advanced WAF Application Layer Encryption
The user requests a
logon page
The user enters the
credentials
Password: T0ughPassw0rd
44. BIG-IP Platform
BIG-IP Platform
BIG-IP Platform
BIG-IP Platform
Good Client generates
baseline traffic. ~10 mins.1
BDoS Engine Learns the
bad traffic and bad actors.
Dynamic signatures
created and enforced.
3
Attacker starts a large
flood attack. Server stress
increases and app is
impaired.
2
System escalates through
bad actor mitigations until
server stress is normal
and app is fully available.
4
Behavioral DoS Mitigation
47. Elliptic Curves Over Finite Fields
• Instead of choosing the field of real numbers, we can create elliptic curves over other fields.
• Let a and b be elements of Zp for p prime, p>3. An elliptic curve E over Zp is the set of
points (x,y) with x and y in Zp that satisfy the equation
together with a single element , called the point at infinity.
• As in the real case, to get a non-singular elliptic curve,
we’ll require 4a3 + 27 b2 (mod p) 0 (mod p).
• Elliptic curves over Zp will consist of a finite set of points
48.
49.
50. ENCRYPTION IS THE NORM
of all Internet
traffic is
encrypted
of page loads are now
encrypted with SSL/TLS70% 80%
Source: F5 Labs https://www.f5.com/content/dam/f5/corp/global/pdf/products/2019_TLS_Telemetry_Report.pdf
51. SSL/TLS Encryption Challenges
Complexity
burdens IT with
inefficiencies
Performance
can degrade when
decrypting at scale.
Visibility
is reduced due to the
growth of SSL usage.
#ProtectionPeru2019
52. 1994 1995 1999 2006 2008 2018
SSL1 and SSL2
Netscape project
that contained
significant flaws
SSL3
Netscape addresses
SSL2 flaws
TLS 1.0
Standardized SSL3 with almost
no changes RFC2246
TLS 1.1
Security fixes and TLS
extensions RFC4346
TLS 1.2
Added support for
authenticated encryption (AES-
GCM, CCM modes) and
removed hard-coded primitives
RFC5246
TLS 1.3
Signficiant overhaul, requiring
PFS, removing weak ciphers.
Allows 0-RTT and 1-RTT
handshakes.
RFC Draft
History
What is it. It’s not just paperless, and it isn’t just about external consumers/customers and APIs. It’s inside, with productivity and optimization of IT. Which includes the network.
Adjusting the TV Antenna. Cable, Satellite, Netflix and Apple TV.
I no longer drive to the office to check my email. Remote access and VPN changed all of that.
I don’t pull over on the side of the road to make a call.
Apparently no one else does either.
And while I’d like to tell you that I no longer ask people for directions thanks to the miracle of my iPhone (or Google Maps)
This may be a bad example, my wife says that NEVER asked for directions, but you get the idea
You don’t carry those CD packs with either videos, music of information…
And, when was the last time you searched for an ethernet port on the wall to connect your PC?
And when it comes to work … For the last 25 years, I have been selling products and solutions and services to CIOs.
“Do you have five minutes so that I can show you my data center?”
To watch them beaming with pride as they talked about how many servers and switches and routers they supported.
Gushed about battery backup the chaotic patch panels, the wire trays the BTUs of cooling the fire prevention system and the raised floor and the plenum cables.
…that is until about a year ago when this pride suddenly turned to sheepishness. Having an exotic data center was no longer a badge of honor, but more often a mark of slow-footedness.
Today, if someone wants to take me on a tour of their data center, it’s usually to show me the newly empty racks.
Somehow the pride that one got from building these monuments of technology has somehow now been replaced with pride of their dismantlement.
Of course, the technology that is driving these changes is Cloud Computing.
But unlike other transformations the landline telephone to the smartphone
or the mainframe to the networked PC
these took 10-20-30 years
The cloud is coming at us much faster; really fast and feels more like a lightning strike than an evolution.
Our core belief is that applications are the gateway to your data.
Coupling app-centric-threats with this multi-cloud attack surface, attacker intend to disrupt your businesses applications, ultimately so they can impact the confidentiality, integrity, and availability of your applications and, most importantly, your data.
The answer:
We’re still approaching security with a decades-old mindset
that focuses on location-based protection—building walls and barriers.
(Note: the red circle represents a traditional perimeter-based approach to security.)
This has led many companies to invest heavily in network-based and specialized security solutions, for example, next generation firewalls, data loss prevention (DLP), Advanced Persistent Threat (APT) solutions, Intrusion detection and intrusion protection (IDS/IPS) systems; anti-virus solutions.
It’s not that these solutions aren’t useful or necessary; they are—each one has its purpose. But, by themselves, they just aren’t adequate anymore.
Many are blind to today’s threats, and they’re unable to provide insight into what’s happening with your application. That’s because they were never designed to do that.
And consider this: How many employees are directly connected to your corporate network anymore?
Very few. Virtually every worker is mobile at some point during the workday, and your fully-remote users are never directly connected.
With the prevalence of cloud-based and SaaS apps, many workers can complete an entire day’s work without ever connecting to the corporate network.
These users, who are mostly outside of your network now, pose an even greater risk to your company because they’re sharing company data using devices, networks, and applications that are beyond your control.
____________________________________________
What’s the result? (Where does that leave us today?)
We’re protecting the wrong things.
Today’s threat landscape has shifted:
[click]
The fact is, only 28% of today’s attacks target the network…
... yet 90% of today’s security budget still goes toward protecting the network.
Yet ECC is exactly what Firefox uses and Chrome and gmail and what the iPhone uses for messaging. It is also quickly becoming the media of choice for the world’s bad actors, black hats and hackers.
77% of traffic on the internet is encrypted according to Google.
Meaning the traditional perimeter is blind to 3/4s of the emerging application threats.
Encryption is a growing problem for many companies because the specialized security solutions they have invested so heavily in are not able to decrypt traffic at all (or not without degrading performance by up to 85%).
[click]
Hackers know this and use it to their advantage to hide malware and other threats.
[click]
That means traditional security solutions are blind to the majority of today’s threats.
[click]
And, without the ability to alert you to such threats, they’re virtually ineffective.
This is one of the primary reasons data theft continues to be such a challenge. ________________________________________________________
So, if:
the attack targets have shifted and we’re protecting the wrong things
our budgets are misaligned, and
our data is increasingly at risk because we’re blind to new threats…
[Click]
But data breaches are just a symptom of a larger problem.
The question is, why is security broken?
Speaker Notes:
(Transition slide to wrap-up)
#DUARTE – This option works best.
WAFs are commonly deployed to meet compliance mandates. This can create a false sense of security, as skilled hackers and nation states can bypass basic security measures.
Many WAFs can block known attacks, but not every WAF can learn normal application behavior in order to strictly allow legitimate traffic.
Only one WAF can protect against credential theft, brute force compromise using stolen credentials, and zero-day application layer DoS: F5 Advanced WAF.
#DUARTE – This option works best.
WAFs are commonly deployed to meet compliance mandates. This can create a false sense of security, as skilled hackers and nation states can bypass basic security measures.
Many WAFs can block known attacks, but not every WAF can learn normal application behavior in order to strictly allow legitimate traffic.
Only one WAF can protect against credential theft, brute force compromise using stolen credentials, and zero-day application layer DoS: F5 Advanced WAF.
The good news is that is advanced WAF technology is more accessible and affordable than ever before.
F5 has teams of researchers and engineers dedicated to this task, and their industry-leading expertise is packaged and available today to defend apps of any size and variety.
Unique and flexible deployment options will make implementation for your app a snap.
Speaker Notes:
(Transition slide to wrap-up)
A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. While web proxies generally protect clients, WAFs protect servers.
There’s a reason why web application firewalls have been getting so much attention lately. It’s the same reason we keep hearing about major security and data breaches left right and center. Web application security is difficult – very difficult. Not to mention time consuming and costly – developing and maintaining comprehensive web security controls can consume a large percentage of the limited budget you have for developing the actual application features that users will need to get useful work done.
Difficulty Developing Defenses
It is in fact so difficult, that WhiteHat Security reported in its 2019 Application Security Statistics Report that the average web application has three vulnerabilities. So, it is probable we are not investing enough in penetration testing and remediation, we don’t understand the risks, or we aren’t deploying the right tools to mitigate these vulnerabilities.
https://www.whitehatsec.com/blog/application-security-statistics-report/
Tools to Save You Time and Money
These are persistent, long-standing problems that remain omnipresent due to the difficulty building and rebuilding their remediations into every new application that is shipped. Understanding and defending against them typically requires focused security expertise, a skillset that few developers can realistically cultivate while getting actual development done at the same time. Having the right tools and third party controls in place can go a long way to mitigating risk and speeding development of your service.
Speaker Notes:
(Transition slide to wrap-up)
#DUARTE – This might need work. Or at least the “if you answered yes” conclusion should probably be split onto a new slide with a “surprise! WAF could be for you” lighthearted angle.
Speaker Notes:
(Transition slide to wrap-up)
Open Web Application Security Project
Non-profit organization dedicated to providing unbiased, practical information about application security
OWASP Top 10
The OWASP Top 10 represents a broad consensus on the most critical web application security flaws
Speaker Notes:
(Transition slide to wrap-up)
But not all WAF technology is created equal
Traditional solutions will get you basic OWASP Top 10 coverage
And do some level of SSL decryption which is requisite to being able to monitor flows
Scripting?
With advanced WAF technology you get all of that plus more advanced coverage for things like
Malicious bot detection and management
Credential attack detection and defense – credential stuffing is going to remain prevalent for as long as we accept passwords
APIs are increasingly important and widely available and need just as much scrutiny and protection as any other web service – more so in many cases given their criticality to data exchange
Duplicate of the AFM slide
So with such a huge amount of malicious or unwanted traffic, much of it automated, how are most people dealing with this unnecessary load on their cloud servers? Yep…. They’re just scaling the cloud service. So they’re paying for more containers or more virtual machines simply to deal with the load.
But shouldn’t we only be offering the service to those that genuinely need to connect to it?
This means:
Security is not necessarily a cost sink in the cloud
There is significant opportunity to reduce cloud costs
There is significant opportunity to inserts security services programmatically
You need these tools anyway as we’ve seen
Cloud netblocks are well known and thoroughly reconnoitered
Bots and scanners comprise a significant portion of your cloud traffic
Speaker Notes:
WAF can inform business intelligence and make our data more valuable by making it more relevant, accurate, and actionable.
All of these requests and interactions are data points; if we are treating them all equally then we are working with a lot of bad data.
Filtering out the unwanted traffic allows us to enrich our available data by making it more relevant, leaving us with good / valid data points.
https://www.gettyimages.com/license/822081298
Privacy concerns are driving growth in encrypted traffic.
The increase use of encryption creates a blind spot for security.
Hackers are using SSL/TLS to obfuscate cyber-attacks.
By 2020, more than 60% of organizations will fail to decrypt HTTPS efficiently, missing most targeted web malware
2019 Gartner Magic Quadrant for Enterprise Network Firewalls
Devices are fast-pathing connections without decryption at high rates
Four reasons why SSL/TLS is blinding your security devices
[CLICK 1]
The traditional enterprise security stack looks like this. Internal clients talk to a proxy, that passes traffic through an IPS or sandbox on the way to the firewall. It’s a daisy chain. In 2014 only 25% of the traffic leaving an environment was encrypted, so it was probably okay to inspect the other 75%. But now that these numbers are flipped, security devices are protecting against a lot less.
[CLICK 2]
Now of course most security vendors have evolved since then to be able to handle SSL, but then they only decrypt for themselves, creating even more latency and complexity on the network.
The traditional daisy chain security stack doesn’t work anymore.