The New Security Perimeter: Applications and Identities. Timo Lohenoja, CISSP Systems Engineer F5 Networks

Transcription

1 The New Security Perimeter: Applications and Identities Timo Lohenoja, CISSP Systems Engineer F5 Networks

2 Applications are Driving Innovation and Massive Growth in Data but also creating an exponential increase in the attack surface F5 Networks, Inc Sources: Forbes, Nielsen, IDC, EMC, Statista 2

3 Resulting in an Unprecedented Increase in Attacks Source of data breaches F5 Networks, Inc Sources: IT Business Edge, Krebs on Security, Security Week, CSO Online 3

4 Security Investments Completely Misaligned with Reality Fraudsters $$$ Security Spend NGFW IPS / IDS DLP App Servers Attackers DB Servers Internal Users F5 Networks, Inc 4

5 Security Investments Completely Misaligned with Reality Perimeter Security Identity & Application Security 25% of attacks are focused here 90% of security investment 75% of attacks are focused here 10% of security investment F5 Networks, Inc Source: Gartner 5

6 Important Trends in Threat Vectors 20% 85, M 36% OF IT PROS ARE CONFIDENT USERS AVOID PHISHING 2015 CyberThreat Defense MALICIOUS IP S LAUNCHED EVERYDAY Threat Brief Report, Webroot, May 2015 BOTS ACTIVELY ATTACKING Symantec Internet Security Report 2014 NO CYBER-ATTACK RESPONSE IN PLACE F5 Networks Survey Research 2016 EVERY 23 min 86% 56 56% A WEBSITE IS HIT BY A CRITICAL EXPLOIT F5 Research OF WEBSITES HAVE AT LEAST 1 SERIOUS VULNERABILITY WhiteHat Security Statistics Report 2015 AVERAGE NUMBER OF VULNERABILITIES PER WEBSITE WhiteHat Security Statistics Report 2015 OF SECURITY PROFESSIONALS EMPLOY WAF 2015 Cisco Annual Security Report F5 Networks, Inc 6

7 The Traditional Approach to Security is Inadequate Less control over user access and policies do not follow apps Overwhelming volume of application traffic Traditional security solutions are blind to SSL traffic Perimeter approach is no longer adequate F5 Networks, Inc 7

8 The New Perimeter is an App Perimeter Apps are the gateways to data TRADITIONAL NEW PERIMETER App APP SSL SSL SSL NETWORK PERIMETER SSL-visible, Location-independent, Sessionbased, Continuous trust verification, Strategic control points, Application availability PER-APP / PER-USER PERIMETER IT S TIME TO RETHINK SECURITY ARCHITECTURES F5 Networks, Inc 8

9 Identity is the Key to Adaptive Authentication and Access OS Authentication Device type and integrity Operating system Browser Location Access method!!! App location App importance and risk v3.1 App type/ version Network integrity Network quality and availability Connection integrity F5 Networks, Inc 9

10 Cloud Apps Create Complexity and Reduce Security Silos of identity Salesforce Office 365 Concur Google docs Identity may still be on-premises, but apps and data are moving to the cloud Users experiencing password fatigue Leads to password re-use 3 rd -party website hack may affect your site compromising your data Existing solutions require complex infrastructure Data Center Identity and Access Management Physical Virtual Internet Devices Applications Applications F5 Networks, Inc 10

11 Federating Identity for Cloud Applications Outsourced applications and infrastructure Salesforce Office 365 Concur Google docs Applications enforcing authority over user identity Need to provide access to customers and supply chain without manual user account management and password resets Data Center Identity and Access Management Internet Devices Physical Virtual Applications Applications F5 Networks, Inc 11

12 Optimising Security with Risk-based Policy Protection Allow North Korea User ID Low-Value App Deny Location Challenge End point OTP Device health Client Cert. Device type Malware Sensitive Data Human User ID Location End point Allow Device health Deny Device type Challenge OTP Client Cert. United Kingdom Malware Sensitive Data Human High-Value App F5 Networks, Inc 12

13 Identity Federation and SSO Solutions Users Adaptive Auth Federation (SAML) SSO Selection Endpoint Validation SAML Pass-through Simple Assertion Apps Token Kerberos Delegation Password Step-Up Auth Dynamic Forms Certificates Fraud Protection Certificates Private/Public Cloud Transform one type of authentication into another Support various standards-based protocols (SAML, Kerberos, NTLM) Enable flexible selection of SSO techniques appropriate to the application Allow centralised session control of all applications, including SaaS apps F5 Networks, Inc 13

14 Identity Federation and SSO with Adaptive Authentication On-Premises Infrastructure Corporate Users Corporation Public Cloud Private Cloud LOGIN Users SAML Identity management Multi-factor authentication Attackers SAML Real-time access control Access policy enforcement Directory Services Corporate Applications Office 365 Google Apps Salesforce Identity federation SaaS F5 Networks, Inc 14

15 Application Attacks are Inevitable 75% of Internet threats target web servers Prepare for application attacks every 23 minutes 86% of websites has at least 1 vulnerability and an average of 56 per website 95% of breaches through 2018 will be caused by misconfigured firewalls, not vulnerabilities 2.3M bots actively attacking F5 Networks, Inc Sources: Cisco, WhiteHat Security, Gartner, Symantec 15

16 Encryption Creates a Blind Spot in Your Network Most network architectures are not built for SSL encryption SSL on NGFW products impacts performance by 80% Malware using SSL to evade network monitoring Without security tools to inspect SSL traffic, attacker actions can go undetected Trends toward SSL Everywhere, including HTTP/2 and TLS 1.3 F5 Networks, Inc 16

17 The Right Tool for the Job Next Generation Firewall Web Application Firewall Corporate (users) Outbound user inspection 1K users to 10K web sites Broad but shallow UserID and AppID Who is doing what? BIFURCATION OF FIREWALLS Internet Data Center (servers) Inbound application protection 1M users to 100 apps Narrow but deep Application delivery focus Web specific protocols (HTTP, SSL, etc.) F5 Networks, Inc 17

18 Intrusion Prevention Systems and Standard Firewalls Traditional Firewall Intrusion Prevention Examines all traffic for Systems malicious app inputs Primarily uses anomalous and signature-based detection Some stateful protocol analysis capabilities Lacks understanding of??? L7 protocol logic Doesn t protect against Obfuscation Encryption Fragmentation Unknowns all exploitable app vulnerabilities Layer 7 security is not addressed by traditional IPS and firewall products F5 Networks, Inc 18

19 Web Application Firewall Capabilities Protect against layer 7 attacks with granularity Combines negative and positive security models Full-proxy protection against and OWASP top 10 Protects against layer 7 DDoS attacks WAF DAST/VA integration with extensive automated and virtual patches Deep understanding of the application, not just generic attacks Virtual Edition Appliance Cloud Understands the business logic behind your web app F5 Networks, Inc 19

20 Traditional Security Devices vs WAF WAF IPS NGFW Multiprotocol Security * IP Reputation * Web Attack Signatures * Web Vulnerabilities Signatures * Automatic Policy Learning * URL, Parameter, Cookie, and Form Protection * Leverage Vulnerability Scan Results * Browser Fingerprinting Protection against Layer 7 DDoS Attacks Pro-active Modification of Application Requests/Responses Advanced Protection for Web Services (SOAP, XML, AJAX) = Good to very good = Average or fair = Below average F5 Networks, Inc * Source: Gartner "Web Application Firewalls Are Worth the Investment for Enterprises" 20

21 Advanced vs Traditional Web Application Firewall TRADITIONAL WAF Signatures (OWASP Top 10) DAST integration Site learning File/URL/Parameter/Header/Cookie enforcement Protocol enforcement Login enforcement / Session tracking Data leak prevention Flow enforcement IP blacklisting ADVANCED WAF Bot detection Client fingerprinting Web scraping prevention Brute force mitigation L7 DDoS protection Heavy URL mitigation CAPTCHA challenges HTTP header sanitisation/insertion Anti-CSRF token insertion Perfect Forward Secrecy (PFS) ciphers F5 Networks, Inc 21

22 Demystifying the Industry Buzzword: RASP Runtime Application Self-Protection An agent in the runtime container for each application or server F5 Networks, Inc 22

23 Application Security Options RASP Runtime Application Self- Protection Instance of protection for one app (SQL Injection, XSS) Post WAF, IPS protection Inside the application or on server App language dependent (Java,.NET) and 1-10% range performance reduction WAF Web Application Firewall Enterprise-grade protection/performance for all apps PCI and regulatory compliance requirements DAST integrations for scanning and WAFs for patching all apps Most effective against L7 DoS, Brute Force, Web Injection, Scraping, XSS, CSRF F5 Networks, Inc 23

24 Hybrid Protection from Advanced Application Attacks ON-PREMISES WAF CLOUD-BASED WAF Policy Import/Export Protect core applications in data center Virtual patching Layer 7 DDoS Protect applications in the cloud, co-lo, data center Provide flexible application fluency App/Dev policy development 24/7 attack support from security experts F5 Networks, Inc 24

25 More Capability Considerations Considerations Have resources to manage WAF? Need to maintain app blocking control? Willing to use professional services? PCI compliance challenges VA/DAST part of app development/protection Must protect cloud-based apps Must protect tier 2 apps Prefer outsourcing app security Require 3 rd party policy creation with 24x7x365 support On-prem WAF Cloud WAF Hybrid WAF deployment Combined Hybrid WAF = No application left unprotected F5 Networks, Inc 25

26 Application Protection: Cloud-based and On-premises Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users Attackers DDoS WAF Volumetric DDoS protection, Managed Application firewall service, zero-day threat mitigation with irules ISPa/b Customer Router DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Data Center Firewall HTTP attacks: Slowloris, slow POST, recursive POST/GET WAF E-Commerce Subscriber Hybrid integration with ADC to synchronise threat information and request service Signaling IPS Strategic Point of Control F5 Networks, Inc 26

27 Best Practices in Protecting Your Applications F5 Networks, Inc 27 27

28 Comprehensive Security Solutions for the New Perimeter Access Federation App Access Management Network Firewall Traffic Management DDoS Protection Web Fraud Protection APPLICATION ACCESS APPLICATION PROTECTION Remote Access Enterprise Mobility Gateway Secure Web Gateway DNS Security SSL Inspection Web App Firewall Confidentiality Availability Integrity Risk-Based Policies Hybrid Delivery Intelligence and Visibility F5 Networks, Inc 28

29 Timo Lohenoja, CISSP Systems Engineer F5 Networks