Transcription
Unfied Application SecurityFrank ThiasPrincipal Solutions Engineer31st May 2022
AgendaDrivers for WAFReal life customer use casesDeployment options in any environmentBots are still on the riseConclusion2 2022 F5
Drivers for WAF3 2022 F5
The 21th Century Application InfrastructureUsers are going to access applicationMobile/VDI/XaaS/OSSecurityNetwork, Application, DDoSEvery application is aWeb Application4 2022 F5HTTPS isthe newTCP
Application Attacks are Real & Direct Threats to Business“TECHNICAL THREATS” OWASP Top 10: Cross-Site Scripting,SQL Injection etc. OWASP Automated Threat Exploitation of known & unknown webapplications vulnerabilitiesSensitive Data Leakage, Outages5 2022 F5“BUSINESS THREATS” Credential Attack, Phishing, Fraud Web Scraping L7 DDoSLoss of Revenue – Against Competition
What is a WAF?WAFHTTPRuleRuleHTTPSSL renegotiationSSLRuleRuleSSLSYN floodTCPRuleRuleTCPSlowloris attack XSSICMP floodNetworkfirewall6 2022 F5WAFDataleakage
Next Generation Firewall vs. WAFs7 2022 F5
Real life customer use-cases8 2022 F5
Real life customer use-cases OWASP Top 10 Protection Bot Prevention Layer 7 DDoS Mitigation API Security Always in combination with: Traffic Management Scalabe and flexible TLS/HSM Optional with Authentication Proxy Trend: WAF also internally used with our customers9 2022 F5
Deployment options in any environment10 2022 F5
F5 WAFRecognized as themost scalable WAFon the market(NSS Labs)F5 Advanced WAFVelos/Viprion PlatformOn-Prem / Self mgmt11 2022 F5 NETWORKSMultiple deploymentvariants andconsumption modelsF5 Advanced WAFBIG-IP PlatformOn-Prem / Self mgmtF5 Advanced WAFBIG-IP Virtual EditionOn-Prem/CloudF5 AdvancedWAF WAFF5 SilverlineMgmt ServiceF5 WAFWAFF5 XCSaaS
Bots are still on the rise .13 2022 F5
Bots allow attackers to scale and exacerbate business andsecurity risks by orders of magnitudeBusiness Risks Bad log and site metric dataIntellectual property theftWeb fraudAd fraud14 2022 F5 NETWORKSSecurity RisksAvailability Risks Denial of ServiceDenial of InventoryInfrastructure cost incursionDegradation of performance Footprinting / reconnaissanceVulnerability scanningVulnerability exploitationCredential Stuffing
OWASP Top 20 Automated ThreatsOAT-020 Account AggregationOAT-019 Account CreationOAT-003 Ad FraudOAT-009 CAPTCHA DefeatOAT-010 Card CrackingOAT-001 CardingOAT-012 Cashing OutOAT-007 Credential CrackingOAT-008 Credential StuffingOAT-021 Denial of InventoryOAT-015 Denial of Service15 2022 F5 NETWORKSOAT-006 ExpeditingOAT-004 FingerprintingOAT-018 FootprintingOAT-005 ScalpingOAT-011 ScrapingOAT-016 SkewingOAT-013 SnipingOAT-017 SpammingOAT-002 Token CrackingOAT-014 Vulnerability Scanning
Stopping Bots via Static Rules Is Not EnoughMITIGATION OPTIONS AVAILABLE TODAY TO PROTECT YOUR BUSINESSFully Managed ServiceSignatures, JS, Machine Learning, Security AnalystsHighSilverline Shape DefenseIntegrated Bot DefenseSecurity as a Service (SECaaS)Signatures, JS, Machine LearningSelf ManagedSignatures and JSSelf ManagedSignaturesNGINX App ProtectBIG-IP AWF Unified Bot DefenseImitates BrowserExecute JavaScriptlike a real browserAttack costImitates BrowserNetwork TrafficCreate HTTP requestsUser ImitationFake mouse tracks,fake keystrokesAdvanced custom andretooled AttacksTarget specific, customdevelopedPurpose built forattack a specific targetSelenium, Sikuli,HumansDifferent integration Modules plannedPhantomJS, HeadlessChromeSentry MBA, Wget andcURLLow16 2022 F5Shape Enterprise DefenseAttack sophistication and motivationCDNCloudflareFastlyAWS CloudFrontVerizon Media PlatformAzure CDNGoogle Cloud rnishEnvoy
F5 Integrated Bot Defense - IBD1. Off-the-shelf, customer-configurablesolution for bot mitigation2. A Cloud service capable of receivingand responding to API requests fromintegration modules (clients)3. Customer-facing user interfaceUsers view trafficand detection resultsin a cloud UI of theserviceIntegrated Bot Defense will be compatible with all versions of BIG-IP without requiring customersto perform a firmware update to consume the service.17 2022 F5
IBD Dashboard18 2022 F5
Shape Enterprise Defence (SED) is a FullyManaged Service19 2022 F5Run and Maintain Develop and Update Policies Analyze Traffic and Apply NewDetection Logic Install Software UpdatesThreat Analysis & Reporting Incident and Attack Reports Threat Briefings Raw data deliverySecurity Operations Center (24x7) Proactive Alerting forAnomalous Traffic Continuous Health MonitoringThreat Research Automation Tool Analysis Dark Web Reconnaissance(upon request) Attribution (upon request)
SED Dashboards / Logins/Tag – 57 Automated request20 2022 F5
Conclusion App Security is a mandatory because attackers primarily misuse Layer 7 functions Most attacks are initiated by automated tools / bots We see very strong increase in Layer 7 DDoS attacks Machine Learning capabilties help to build policies and to defend more sophisticated attacks F5 Technology can be used for any use-case and in any environment21 2022 F5
Velos/Viprion Platform BIG-IP Platform BIG-IP Virtual Edition F5 Silverline F5 XC On-Prem / Self mgmt On-Prem / Self mgmt On-Prem/Cloud Mgmt Service SaaS . variants and consumption models F5 Advanced WAF F5 Advanced WAF F5 Advanced WAF F5 Advanced WAF WAFF5 WAF. 13 2022 F5 Bots are still on the rise . 14 2022 F5 NETWORKS Bots allow .
