Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones avanzadas
•Transferir como PPTX, PDF•
0 gostou•222 visualizações
Hoy por hoy el tráfico que llega a las aplicaciones web de las compañías en su mayoría es tráfico SSL con lo cual tenemos diferentes opciones para abordar la problemática de visibilidad y control del tráfico cifrado; confiar en todo el tráfico SSL y dejarlo pasar sin inspeccionar o incrementar la capacidad de los dispositivos de seguridad. ¿Qué camino tomar? No menos importante, son todos aquellos ataques que llegan a las aplicaciones Core de la compañía de actores que buscan poner en riesgo la integridad, disponibilidad y seguridad de la misma como por ejemplo Bots y ataques de DDoS. ¿Se encuentra usted protegido contra amenazas avanzadas?
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones avanzadas
Semelhante a Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones avanzadas (20)
Mais de Cristian Garcia G.
Mais de Cristian Garcia G. (20)
Último
Último (20)
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones avanzadas
- 2. Eduardo Elinan Channel Sales Enginner MCA North Why Advanced Threats Require Advanced Application Defense #ProtectionPeru2019
- 9. Tranformación del Modelo de Negocios #ProtectionPeru2019
- 12. © 2019 F5 Networks 12 DLP Fire- walls Anti Virus APT IDS/ IPS #ProtectionPeru2019
- 13. © 2019 F5 Networks 13 DLP Fire- walls Anti Virus APT IDS/ IPS DLP Fire- walls Anti Virus APT IDS/ IPS #ProtectionPeru2019
- 14. © 2019 F5 Networks 14 DLP Fire- walls Anti Virus APTIDS/ IPS 28% #ProtectionPeru2019
- 15. 28% DLP Fire- walls Anti Virus SIEMIDS/ IPS © 2019 F5 Networks 15 DLP Fire- walls Anti Virus APTIDS/ IPS 28% 90%
- 16. 77%
- 17. © 2019 F5 Networks 17 DLP Fire- walls Anti Virus APT IDS/ IPS
- 19. COLLABORATION MODEL • Is enabling any business initiative
- 20. Shared Responsibility Model IaaS Cloud vendors leave layer 4-7 services to the cloud customer Runtime Middleware Operating System Physical Servers Storage Customer’s Responsibility Cloud Vendor Responsibility Data Virtualization Public Cloud Infrastructure (IaaS/PaaS/SaaS) Applications Microsoft Azure Amazon Web Services Google Cloud Platform Networking Functions
- 21. Shared Responsibility Model PaaS Cloud vendors leave layer 4-7 services to the cloud customer Runtime Middleware Operating System Physical Servers Storage Customer’s Responsibility Cloud Vendor Responsibility Data Virtualization Public Cloud Infrastructure (IaaS/PaaS/SaaS) Applications Microsoft Azure Amazon Web Services Google Cloud Platform Networking Functions
- 22. Shared Responsibility Model SaaS Cloud vendors leave layer 4-7 services to the cloud customer Runtime Middleware Operating System Physical Servers Storage Customer’s Responsibility Cloud Vendor Responsibility Data Virtualization Public Cloud Infrastructure (IaaS/PaaS/SaaS) Applications Microsoft Azure Amazon Web Services Google Cloud Platform Networking Functions
- 23. How Do You Protect Apps? Active attacks Vulnerabilities Risk and address compliance #ProtectionPeru2019
- 24. What is WAF?
- 25. Web App Firewalls WAF Protect against application attacks, mitigate application vulnerabilities, and prevent data leakage Inspects traffic to block known bad traffic and allow legitimate traffic
- 26. Web App Firewalls WAF Injection Attacks Cross Site Scripting Known App Vulnerabilities Payment Card Information Customer Information Critical Apps On-premises Cloud-based As-a-service
- 27. WAF Technology Here’s the good news. Can be an alternative to code review. Offers protection against app attacks. Fixes vulnerabilities promptly without maintenance windows. Doesn’t require access to source code or developers. Provides coverage for OWASP Top 10. #ProtectionPeru2019
- 28. Why WAF?
- 29. 3% 11% 33% 53% Other (VPN, PoS, infra.) Physical User / Identity Web App Attacks Web App Attacks Are the #1 Single Source Entry Point of Successful Data Breaches…
- 30. But we still have quite a lot of exposure—not counting DDoS, IP theft, fraud and more… 3% 11% 33% 53% Other (VPN, PoS, infra.) Physical User / Identity Web App Attacks
- 32. Who needs WAF?
- 33. …have a public facing web property? …have a high-sensitivity web property? …contend with bots and unwanted automation? …have compliance obligations? …have difficult to upgrade software stacks? …have legacy web applications? …need zero day breathing room? …want to reduce your development time-to-market? Do you…
- 34. If you answered YES to any of the above… WAF might be for you! #ProtectionPeru2019
- 35. Traditional WAF
- 36. What is the OWASP Top 10? A broad consensus on the most critical web application security flaws #ProtectionPeru2019
- 37. Application Security Not Addressed by Traditional Firewalls BIG-IP WAF delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tamperingSQL injections information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection Malformed headers Bots Business logic flaws
- 38. WAF Learning Mode Dynamic Web Application Firewall Request made WAF security policy learns from request Request load- balanced to server WAF security policy learns from response Application responds Devices Response delivered BIG-IP Platform 1.2.3.4 Data Center Hypervisor Virtual Physical Private/Public Cloud /images/banner.jpg /images/logo.gif /css/default.css /app/app.php /index.html File Types /images/banner.jpg /images/logo.gif /css/default.css /app/app.php /index.html URLs /app/app.php?name=value /app/app.php?a=1&b=2 /app/app.php?user=bloggsj /app/app.php?browser=safari Parameters Cookie: name=value Cookie: JSESSIONID=1A5306372... Cookie: price=399;total=1399 Cookies
- 39. WAF Blocking Mode Dynamic Web Application Firewall • Protection from DoS/DDoS attacks and web application security risks • Enforce positive and/or negative security policies, protocol compliance • DataGuard data-scrubbing/DLP/compliance • Vulnerability assessment service integration • IP Intelligence malicious client classification and blocking • Application logging and reporting Request made BIG-IP WAF security policy checked Request load- balanced to server DLP scrubbing & application cloaking Vulnerable application responds Devices Secure response delivered BIG-IP Platform 1.2.3.4 Data Center Hypervisor Virtual Physical Private/Public Cloud Malicious request detected.Request blocked MyBank Banking & Investments Query: SELECT UserID, CreditCard from database where UserID=‘bloggsj’ Results: +----+----------+---------------------+ | ID | UserID | CreditCard | +----+----------+---------------------+ | 1 | bloggsj | **** **** **** **** | | 2 | bloggsj | **** **** **** **** | +----+----------+---------------------+
- 40. Advanced WAF
- 41. TraditionalWAF Credential Protection App-Layer DoS Protection Proactive Bot Defense OWASP Top 10 SSL/TLS Inspection Scripting OWASP Top 10 SSL/TLS Inspection Scripting OWASP Top 10 SSL/TLS Inspection Scripting
- 42. Victim Web App Attacker Dropzone ADC The malware also sends the content to the drop zone in free text Advanced WAF Application Layer Encryption The user requests a logon page The user enters the credentials Attacker infects the victim device with malware Login form triggers malware bobsmith *************T0ughPassw0rd The data in-use can be stolen by malware The login data is encrypted with TLS and sent to the server T0ughPassw0rd
- 43. Victim The device is already infected with malware Application Layer Encryption Web App FPS uses the private key to decrypt the password field The hacker is unable to decrypt and therefore unable to use the content Attacker Dropzone 43 ADC The malware sends the content to the drop zone Advanced WAF Application Layer Encryption The user requests a logon page The user enters the credentials Password: T0ughPassw0rd
- 44. BIG-IP Platform BIG-IP Platform BIG-IP Platform BIG-IP Platform Good Client generates baseline traffic. ~10 mins.1 BDoS Engine Learns the bad traffic and bad actors. Dynamic signatures created and enforced. 3 Attacker starts a large flood attack. Server stress increases and app is impaired. 2 System escalates through bad actor mitigations until server stress is normal and app is fully available. 4 Behavioral DoS Mitigation
- 45. Network Floods Malformed Requests Scanners and Bots Known Bad Hosts Workflow Enforcement WAF F5 Advanced WAF Can Reduce Costs
- 47. Elliptic Curves Over Finite Fields • Instead of choosing the field of real numbers, we can create elliptic curves over other fields. • Let a and b be elements of Zp for p prime, p>3. An elliptic curve E over Zp is the set of points (x,y) with x and y in Zp that satisfy the equation together with a single element , called the point at infinity. • As in the real case, to get a non-singular elliptic curve, we’ll require 4a3 + 27 b2 (mod p) 0 (mod p). • Elliptic curves over Zp will consist of a finite set of points
- 50. ENCRYPTION IS THE NORM of all Internet traffic is encrypted of page loads are now encrypted with SSL/TLS70% 80% Source: F5 Labs https://www.f5.com/content/dam/f5/corp/global/pdf/products/2019_TLS_Telemetry_Report.pdf
- 51. SSL/TLS Encryption Challenges Complexity burdens IT with inefficiencies Performance can degrade when decrypting at scale. Visibility is reduced due to the growth of SSL usage. #ProtectionPeru2019
- 52. 1994 1995 1999 2006 2008 2018 SSL1 and SSL2 Netscape project that contained significant flaws SSL3 Netscape addresses SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security fixes and TLS extensions RFC4346 TLS 1.2 Added support for authenticated encryption (AES- GCM, CCM modes) and removed hard-coded primitives RFC5246 TLS 1.3 Signficiant overhaul, requiring PFS, removing weak ciphers. Allows 0-RTT and 1-RTT handshakes. RFC Draft History
- 53. 2009 2011 2013 2014 2015 2016 Insecure Renegotiation Beast Crime RC4 Time Lucky 13 Heartbleed Poodle Dire Freak LogJam Drown 2017 Robot 2018 ? Quantifiable security Snowden Page rank Incentives Emerging technologies Regulatory requirements Accessibility Qualified grading
- 54. 60% 75% 37 71 Continuing growth(Google report) 70%
- 55. Users / Devices User InternetFirewall � Multiple SSL/TLS intercept points � � � The daisy chain of security services decrypt encrypt inspect encryptdecrypt inspect encryptdecrypt inspect decrypt encrypt inspect IPSDLPWeb Gateway Anti-Malware #ProtectionPeru2019
- 56. Improved approach: SSL Orchestration Users / Devices User Internet / Enterprise apps Firewall Single box or 2-box air gap solution Firewall IPS (Pool) DLP (Pool) SIEMAnti- Malware (Pool) Decrypt and steer (based on policy, bypass options) Re-encrypt ICAP Inline insertion (L2 Mode) Passive NGFW (Pool) Inline insertion (L3 Mode)
Notas do Editor
- What is it. It’s not just paperless, and it isn’t just about external consumers/customers and APIs. It’s inside, with productivity and optimization of IT. Which includes the network.
- Adjusting the TV Antenna. Cable, Satellite, Netflix and Apple TV. I no longer drive to the office to check my email. Remote access and VPN changed all of that.
- I don’t pull over on the side of the road to make a call. Apparently no one else does either. And while I’d like to tell you that I no longer ask people for directions thanks to the miracle of my iPhone (or Google Maps) This may be a bad example, my wife says that NEVER asked for directions, but you get the idea
- You don’t carry those CD packs with either videos, music of information… And, when was the last time you searched for an ethernet port on the wall to connect your PC? And when it comes to work … For the last 25 years, I have been selling products and solutions and services to CIOs.
- “Do you have five minutes so that I can show you my data center?” To watch them beaming with pride as they talked about how many servers and switches and routers they supported. Gushed about battery backup the chaotic patch panels, the wire trays the BTUs of cooling the fire prevention system and the raised floor and the plenum cables. …that is until about a year ago when this pride suddenly turned to sheepishness. Having an exotic data center was no longer a badge of honor, but more often a mark of slow-footedness.
- Today, if someone wants to take me on a tour of their data center, it’s usually to show me the newly empty racks. Somehow the pride that one got from building these monuments of technology has somehow now been replaced with pride of their dismantlement.
- Of course, the technology that is driving these changes is Cloud Computing. But unlike other transformations the landline telephone to the smartphone or the mainframe to the networked PC these took 10-20-30 years The cloud is coming at us much faster; really fast and feels more like a lightning strike than an evolution.
- Our core belief is that applications are the gateway to your data. Coupling app-centric-threats with this multi-cloud attack surface, attacker intend to disrupt your businesses applications, ultimately so they can impact the confidentiality, integrity, and availability of your applications and, most importantly, your data.
- The answer: We’re still approaching security with a decades-old mindset that focuses on location-based protection—building walls and barriers. (Note: the red circle represents a traditional perimeter-based approach to security.) This has led many companies to invest heavily in network-based and specialized security solutions, for example, next generation firewalls, data loss prevention (DLP), Advanced Persistent Threat (APT) solutions, Intrusion detection and intrusion protection (IDS/IPS) systems; anti-virus solutions. It’s not that these solutions aren’t useful or necessary; they are—each one has its purpose. But, by themselves, they just aren’t adequate anymore. Many are blind to today’s threats, and they’re unable to provide insight into what’s happening with your application. That’s because they were never designed to do that.
- And consider this: How many employees are directly connected to your corporate network anymore? Very few. Virtually every worker is mobile at some point during the workday, and your fully-remote users are never directly connected. With the prevalence of cloud-based and SaaS apps, many workers can complete an entire day’s work without ever connecting to the corporate network. These users, who are mostly outside of your network now, pose an even greater risk to your company because they’re sharing company data using devices, networks, and applications that are beyond your control. ____________________________________________ What’s the result? (Where does that leave us today?)
- We’re protecting the wrong things. Today’s threat landscape has shifted: [click] The fact is, only 28% of today’s attacks target the network…
- ... yet 90% of today’s security budget still goes toward protecting the network.
- Yet ECC is exactly what Firefox uses and Chrome and gmail and what the iPhone uses for messaging. It is also quickly becoming the media of choice for the world’s bad actors, black hats and hackers. 77% of traffic on the internet is encrypted according to Google. Meaning the traditional perimeter is blind to 3/4s of the emerging application threats.
- Encryption is a growing problem for many companies because the specialized security solutions they have invested so heavily in are not able to decrypt traffic at all (or not without degrading performance by up to 85%). [click] Hackers know this and use it to their advantage to hide malware and other threats. [click] That means traditional security solutions are blind to the majority of today’s threats. [click] And, without the ability to alert you to such threats, they’re virtually ineffective. This is one of the primary reasons data theft continues to be such a challenge. ________________________________________________________ So, if: the attack targets have shifted and we’re protecting the wrong things our budgets are misaligned, and our data is increasingly at risk because we’re blind to new threats… [Click]
- But data breaches are just a symptom of a larger problem. The question is, why is security broken?
- Speaker Notes: (Transition slide to wrap-up)
- #DUARTE – This option works best. WAFs are commonly deployed to meet compliance mandates. This can create a false sense of security, as skilled hackers and nation states can bypass basic security measures. Many WAFs can block known attacks, but not every WAF can learn normal application behavior in order to strictly allow legitimate traffic. Only one WAF can protect against credential theft, brute force compromise using stolen credentials, and zero-day application layer DoS: F5 Advanced WAF.
- #DUARTE – This option works best. WAFs are commonly deployed to meet compliance mandates. This can create a false sense of security, as skilled hackers and nation states can bypass basic security measures. Many WAFs can block known attacks, but not every WAF can learn normal application behavior in order to strictly allow legitimate traffic. Only one WAF can protect against credential theft, brute force compromise using stolen credentials, and zero-day application layer DoS: F5 Advanced WAF.
- The good news is that is advanced WAF technology is more accessible and affordable than ever before. F5 has teams of researchers and engineers dedicated to this task, and their industry-leading expertise is packaged and available today to defend apps of any size and variety. Unique and flexible deployment options will make implementation for your app a snap.
- Speaker Notes: (Transition slide to wrap-up)
- A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. While web proxies generally protect clients, WAFs protect servers. There’s a reason why web application firewalls have been getting so much attention lately. It’s the same reason we keep hearing about major security and data breaches left right and center. Web application security is difficult – very difficult. Not to mention time consuming and costly – developing and maintaining comprehensive web security controls can consume a large percentage of the limited budget you have for developing the actual application features that users will need to get useful work done. Difficulty Developing Defenses It is in fact so difficult, that WhiteHat Security reported in its 2019 Application Security Statistics Report that the average web application has three vulnerabilities. So, it is probable we are not investing enough in penetration testing and remediation, we don’t understand the risks, or we aren’t deploying the right tools to mitigate these vulnerabilities. https://www.whitehatsec.com/blog/application-security-statistics-report/ Tools to Save You Time and Money These are persistent, long-standing problems that remain omnipresent due to the difficulty building and rebuilding their remediations into every new application that is shipped. Understanding and defending against them typically requires focused security expertise, a skillset that few developers can realistically cultivate while getting actual development done at the same time. Having the right tools and third party controls in place can go a long way to mitigating risk and speeding development of your service.
- Speaker Notes: (Transition slide to wrap-up)
- #DUARTE – This might need work. Or at least the “if you answered yes” conclusion should probably be split onto a new slide with a “surprise! WAF could be for you” lighthearted angle.
- Speaker Notes: (Transition slide to wrap-up)
- Open Web Application Security Project Non-profit organization dedicated to providing unbiased, practical information about application security OWASP Top 10 The OWASP Top 10 represents a broad consensus on the most critical web application security flaws
- Speaker Notes: (Transition slide to wrap-up)
- But not all WAF technology is created equal Traditional solutions will get you basic OWASP Top 10 coverage And do some level of SSL decryption which is requisite to being able to monitor flows Scripting? With advanced WAF technology you get all of that plus more advanced coverage for things like Malicious bot detection and management Credential attack detection and defense – credential stuffing is going to remain prevalent for as long as we accept passwords APIs are increasingly important and widely available and need just as much scrutiny and protection as any other web service – more so in many cases given their criticality to data exchange
- Duplicate of the AFM slide
- So with such a huge amount of malicious or unwanted traffic, much of it automated, how are most people dealing with this unnecessary load on their cloud servers? Yep…. They’re just scaling the cloud service. So they’re paying for more containers or more virtual machines simply to deal with the load. But shouldn’t we only be offering the service to those that genuinely need to connect to it? This means: Security is not necessarily a cost sink in the cloud There is significant opportunity to reduce cloud costs There is significant opportunity to inserts security services programmatically You need these tools anyway as we’ve seen Cloud netblocks are well known and thoroughly reconnoitered Bots and scanners comprise a significant portion of your cloud traffic Speaker Notes: WAF can inform business intelligence and make our data more valuable by making it more relevant, accurate, and actionable. All of these requests and interactions are data points; if we are treating them all equally then we are working with a lot of bad data. Filtering out the unwanted traffic allows us to enrich our available data by making it more relevant, leaving us with good / valid data points.
- https://www.gettyimages.com/license/822081298 Privacy concerns are driving growth in encrypted traffic. The increase use of encryption creates a blind spot for security. Hackers are using SSL/TLS to obfuscate cyber-attacks.
- By 2020, more than 60% of organizations will fail to decrypt HTTPS efficiently, missing most targeted web malware 2019 Gartner Magic Quadrant for Enterprise Network Firewalls Devices are fast-pathing connections without decryption at high rates Four reasons why SSL/TLS is blinding your security devices
- [CLICK 1] The traditional enterprise security stack looks like this. Internal clients talk to a proxy, that passes traffic through an IPS or sandbox on the way to the firewall. It’s a daisy chain. In 2014 only 25% of the traffic leaving an environment was encrypted, so it was probably okay to inspect the other 75%. But now that these numbers are flipped, security devices are protecting against a lot less. [CLICK 2] Now of course most security vendors have evolved since then to be able to handle SSL, but then they only decrypt for themselves, creating even more latency and complexity on the network. The traditional daisy chain security stack doesn’t work anymore.