THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Transcription

1 THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

2 INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 2

3 THE COST OF AN ATTACK PONEMON INSTITUTE AVERAGE BREACH COSTS $214 PER RECORD STOLEN Sony Stolen Records 100M Theft Sony Lawsuits $1-2B Sony Direct Costs $171M Reputation Revenue 23 day network closure Lost customers Security improvements 3

4 HACKER THREATS Scripts, Tools, Exploits Generic scripts and tools against one site. IP Scan Script run against multiple sites seeking a specific vulnerability. Targeted Scan Targets a specific site for any vulnerability. Botnet Script loaded onto a bot network to carry out attack. Human Hacker Sophisticated, targeted attack (APT). Low and slow to avoid detection. Jan June Dec 4

5 WEB APP SECURITY TECHNOLOGY Web Application Firewall Web Intrusion Prevention System Detection Signatures Tar Traps Tracking IP address Browser, software and scripts Profiling IP address Browser, software and scripts Responses Block IP Block, warn and deceive attacker PCI Section 6.6 5

6 THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 6

7 THE ANATOMY OF A WEB ATTACK Phase 1 Reconnaissance Phase 2 Attack Vector Establishment Phase 3 Implementation Phase 4 Automation Days or weeks Weeks or months Weeks or months Months or years Years Phase 5 Maintenance Web App Firewall 7

8 DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 8

9 TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 9

10 RESPOND AND DECEIVE Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 10

11 SMART PROFILE OF ATTACKER Every attacker assigned a name Attacker threat level Incident history 11

12 SECURITY ADMINISTRATION Web-based console Real-time On-demand threat information SMTP alerting Reporting (Pdf, HTML) CLI for exporting data into SIEM tool 12

13 UNIFIED PROTECTION ACROSS PLATFORMS Internal App Server Database Virtualized Cloud 13

14 NEXT GENERATION SECURITY SOLUTIONS THAT SPAN PHYSICAL AND VIRTUAL NETWORKS Management and Security Services Security Design Virtual Control STRM Security Threat Response Manager Physical Services Virtual Firewall VM VM VM VM VM DoS IPS DoS & DDoS Protection vgw Hypervisor FireFly Mykonos AppSecure vgw, vsrx, Mykonos 14

15 WHAT S NEW IN BAGLEY (NOV 2012) New Security Features Improved Geo-IP targeting Updated database improves accuracy of IP to location mapping. Improved Reporting Country comparison over time Top IP addresses Incidents list Top incident types Created empty header incident. Operational Improvements High Availability Full active-passive option for the hardware appliance. Off-line updates Independently downloads updates, and securely updates Junos WebApp Secure Web Security in a fully closed environment. Automatic log uploads to support. Configure NTP (timing) server. 3 rd party logs included in log-rotate configuration. User guide available in multiple formats. Performance improvements in queue and memcache processing. Configuration watchdog process added. Improved security monitor for access speed. Bug fixes. 15 Deployment Options New hardware appliance version released. New Pricing Hardware pricing. Incremental throughput pricing available. Incremental throughput pricing for VM and Cloud available. Service provider sell-through pricing available.

16 TECHNICAL SPECIFICATIONS Abuse Detection Processors A library of HTTP processors that implement specific abuse detection points in application code. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. Some examples of processors include: Authentication Abuse Detection Detects abuses against application authentication, Cookie Abuse Detection Detects attempts to manipulate the application by changing cookie values Error Code Detection Detects suspicious application errors that indicate abuse, including illegal and unexpected response codes. Suspicious File Request Detection Detects when an attacker is attempting to request files with known suspicious extensions, prefixes, and tokens. Header Enforcement Enables the policing of HTTP headers from the application to ensure critical infrastructure information is not exposed. Response and request headers can be stripped, mixed, or filtered. Input Parameter Manipulation Detection Detects attempts to abuse form inputs and establish vectors for injection and cross-site scripting attacks. Link Traversal Detection Detects attempts to spider the application for links to hidden and confidential resources. Directory Traversal Protection Prevents attackers finding hidden directories. Illegal Request Method Detection Detects attempts to abuse non-standard HTTP methods such as TRACE. Query Parameter Manipulation Detection Detects attempts to manipulate application behavior through query parameter abuse. Malicious Spider Detection Detects attempts to spider and index protected directories and resources. Cross Site Request Forgery Detects and prevents cross site request forgery attacks. Custom Authentication Allows companies to protect a page or portion of a site if a vulnerability is found. 3 rd Party Vulnerability protection Detects known attacks IP List Export For Layer 3 firewall integration Abuse Recording Full HTTP Capture Captures and displays all HTTP traffic for security incidents. Abusive Behavior Analysis Abuse Profiles Maintains a profile of known application abusers and all of their malicious activity against the application. Tracking and Re-identification Enables application administrators to re-identify abusive users and apply persistent responses, over time and across sessions. Abuse Response Abuse Responses Enables administrators to respond to application abuse with session-specific warnings, blocks, and additional checks. One-click automation of responses during configuration. The responses include: Warn user: send a custom message Block connection and return arbitrary HTTP error CAPTCHA Connection throttling Logout and forced re-authentication Simulated broken application (Strip inputs) Policy Expressions Simple expression syntax for writing automated, applicationwide responses. Deployment Reverse Proxy with Load Balancing Available as hardware Available as a VMWare or AMI image. Support for alternate ports (other than 80 & 443) Updates Automatically downloaded and available within the management console. Platform Security Hardened kernel, locked-down ports, encrypted back-ups. Management Simplified configuration with set-up wizards Web-based Configuration Browser-based interface for all deployment options. Monitoring Console Web-based monitoring and analysis interface. Drill into application sessions, security incidents, and abuse profiles Manage and monitor manual and automated responses Deep search and filtering capabilities. Real time & Historical System Monitoring Multiple administrators Multiple applications/domains Remote syslog SSL Inspection Passive decryption or termination Alerts, Reporting, Logging Alerts Sends alert s when specific incidents or incident patterns occur Command line interface for custom reporting Reporting Management System with user interface SNMP system logging Auditing Tracks changes to the system made by the administrators in the configuration interface, security monitor, TUI and report generation. Security incidents via syslog Reports country comparisons, Top IP addresses and incidents Performance High availability for Hardware version Higher throughput using clustering Low latency Link aggregation 16

17