Imperva SecureSphere Web Application Firewall · © 2013 Imperva, Inc. All rights reserved. Phase...

© 2013 Imperva, Inc. All rights reserved.

Imperva SecureSphere

Web Application Firewall

Alessadro Colombelli System Engineering Exclusive-Networks

© Copyright 2012 Imperva, Inc. All rights reserved. Imperva, the Imperva logo and

SecureSphere are trademarks of Imperva, Inc. All other brand or product names are

trademarks or registered trademarks of their respective holders.

1 Confidential


Internal Employees

Malicious Insiders Compromised Insiders

Data Center Systems and Admins

Usage

Audit

User Rights

Management

Access

Control

Tech. Attack

Protection

Logic Attack

Protection

Fraud

Prevention

External Customers

Staff, Partners Hackers

Next Generation Threats - New Approach

Confidential

Imperva’s Mission is to Provide a Complete Solution

2


Application Virtual Patching

DDoS Protection IT Operations

Site Scraping Prevention

Fraud Prevention

Legacy Application Security

Hosted Application Protection

Web Application Protection Security and

Compliance

Line of

Business

Web Application Security Use Cases

Confidential 3


Web Application Protection Use Case

4

Anonymous Attack on Customer Site

PHASE I

PHASE III

PHASE II

Scanners such

as Nikto

Havij SQL

injection tool

LOIC application

SecureSphere stopped

all phases of attack

Business Logic

Attack Technical Attack

Technical Attack

Confidential


Dynamic Profiling

Attack Signatures

HTTP Protocol Validation

Cookie Protection

Web Fraud Detection

Fraud Prevention

Technical Attack

Protection

IP Geolocation

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies

The Defenses Required to Protect Web Apps

5

Business Logic

Attack Protection

Confidential

Co

rrela

ted

Att

ack V

alid

ati

on


Phase I: Attack Signatures Detect Recon and Attacks

6

Imperva Application

Defense Center

Internal Users

SecureSphere

Web Servers

INTERNET

SecureSphere appliances

updated with latest

defenses

Signatures detect scanner agent & attacks

The Imperva ADC

investigates new

threats reported

around the world

Confidential


Phase II: SecureSphere Stops SQL Injection, XSS

7

Hacker SecureSphere

WAF

/login.php?ID=5 or 1=1

SQL Injection SQL Injection

Engine with Profile

Analysis

Signature, Protocol

Violations

Blocks definitive

matches, sends

suspicious requests to

SQL Injection Engine

Advanced analysis drastically reduces

false positives and negatives

SQL Injection

Engine blocks

custom attacks

Web Server

Confidential


Phase III: How SecureSphere Stops Application DDoS

8

Low-Orbit Ion Cannon

(LOIC) DDoS Tool

• Creates 200 requests per

second per browser window

Custom DDoS policy detects excessive requests in a period,

malformed URL, unknown HTTP method

Confidential


Web Application Protection Use Case

9

In 2011, an enterprise:

Suffered SQL injection by

LulzSec

Had traditional network security,

but NO WAF

Example of SQL injection

Impact:

101M records breached

Fines, lawsuits

Cost: $200M - $1Billion

Confidential

The Impact of Not Having a Web Application Firewall


IPS & NG Firewall Web Security Features

10

Dynamic Profiling

Attack Signatures

HTTP Protocol Validation

Cookie Protection

Web Fraud Detection

Fraud Prevention

Technical Attack

Protection

Co

rrela

ted

Att

ack V

alid

ati

on

IP Geolocation

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies

Business Logic

Attack Protection

High rate of false positives and negatives

because of lack of app awareness

Easy for hackers to evade via encoding,

custom app vulnerabilities

Confidential


By analyzing traffic, SecureSphere

automatically learns…

Directories

URLs

Parameters Expected user

input

So it can alert on or block abnormal requests

SecureSphere Learns Protected Application

11 Confidential


Dynamic Profiling Over Time

12

Cuts deployment time from months to days

Eliminates ongoing administration burden

• 5-15 changes per week equals 5-30 man hours of configuration

0

100

200

300

400

500

600

700

1-giu 6-giu 11-giu 16-giu 21-giu 26-giu

636

243

32 33

76 55

40 25 21 11 13 28 24 18

41 7 4 5 7 4 8 11 15 2 3 4 1

Date

Pro

file

Changes

Understands the

application and usage

Adapts to ongoing

application changes

Confidential


1. Collects attack data

from WAF community

& 3rd party providers

ThreatRadar Servers

Phishing Sites

Malicious IPs, TOR IPs, & Anonymous Proxy

Web Servers

Community Defense

3. Blocks malicious sources and

emerging threats

2. Distributes feeds to

SecureSphere WAF

How ThreatRadar Reputation Works

13 Confidential


IP geolocation enables monitoring and blocking by country

• Can be combined with bot rules for granular control

• Reduces unwanted traffic to Website

Geolocation helps with export compliance (EAR, OFAC)

• Banks may be fined for wire transfers

to sanctioned countries

Restrict Access By Country

14

Geolocation rules Geolocation data in

security alerts

Confidential


Site Scraping Use Case

15

Financial company’s challenges:

Site scrapers copy and republish the

stock picks

Spammers inject ads into forums

Existing IPS “just created noise”

SecureSphere WAF

Comment spam in forums

Site scrapers stealing data

SecureSphere WAF:

Blocks scraping and comment spam

Accurately stops Web attacks

Confidential


Bot mitigation technology detects scraping bots

Anti-scraping policy detects excessive unique page

requests

Custom rules combine multiple defenses

Human

Bot

Defenses to Stop Site Scraping

16

SecureSphere WAF

Confidential


Virtual Patching Use Case

17

Challenges for payment

processor:

Costly, time-consuming

vulnerability fix cycles

Target of Web attacks

Vulnerabilities imported into WAF

Company scans site

with app scanner

SecureSphere:

Reduces window of exposure,

cost of manual app fixes

Offers visibility for developers

Confidential


Virtual Patching Through Scanner Integration

Confidential 18

SecureSphere can import scan results

and instantly create mitigation policies

Eliminated payment processors’

emergency fix and test cycles

Customer

Site

Scanner finds

vulnerabilities

SecureSphere imports scan results

Web applications are

protected

http://welcome.hp.com/country/us/en/welcome.html

http://www.ibm.com/us/en/

http://www.whitehatsec.com/home/abt/abt.html


Quickly & Cost Effectively Secure Applications

Confidential 19

116 Days: average time to fix all vulnerabilities1

SecureSphere’s default security policies and virtual patching reduces window from 116 days to 0-5 days

SecureSphere can mitigate vulnerabilities not found by scanners

Vulnerability found Code fix developed and tested

System protected

Vulnerability found

Virtual Patch System protected

1 WhiteHat Website Security Statistics Report, Winter 2011

https://www.whitehatsec.com/resource/stats.html

© 2013 Imperva, Inc. All rights reserved. 20

DEPLOY TEST Test for

vulnerabilities

DESIGN &

CODE

Virtually patch

vulnerabilities

Block attacks

Monitor and report

exploits

Detect leaks, errors

Software Development Lifecycle

Architect and

implement code

Fix errors and

vulnerabilities

Imperva SecureSphere

Manual processes or third party tools

Improve Application Development Processes

Confidential


Fraud Prevention Use Case

Confidential 21

A bank needed to:

Stop Man-in-the-Browser attacks

& high risk transactions

Address FFIEC compliance

SecureSphere

Tracks Fraud Details

Client

Devices

SecureSphere

ThreatRadar Fraud Prevention :

Detected malware and suspicious devices

Required no changes to apps for initial

rollout or policy changes


ThreatRadar Fraud Prevention

Confidential 22

SecureSphere integrates with Trusteer, ThreatMetrix, and iovation to detect fraud malware and fraudulent devices

Pass / Block

1. User accesses Website

2. SecureSphere redirects browser to ThreatRadar Cloud

3. Browser downloads code, checks device

4. Result sent to WAF ThreatRadar Fraud Prevention Cloud


DDoS Protection Use Case

Confidential 23

DDoS attack traffic is

blocked

Websites

2 Gbps

20 Mbps

Imperva Incapsula:

Stopped SYN Flood in less

than 2 hours from phone call

Stopped follow-on attack

RV manufacturer:

Received DDoS that took

down Website for 3 days


Imperva Incapsula DDoS Protection

Confidential 24

Stops all DDoS threats

• Application & network attacks

• Proprietary technology

differentiates humans from bots

Analyzes HTTP redirect, cookie,

and JavaScript execution capabilities

Scales beyond your Internet

connection limit

• Stops multi-gigabit DDoS attacks

Incapsula Dashboard

Attacker Malicious Bot

Search Engine


Hosted Application Protection Use Case

Confidential 25

Retailer:

Had upcoming PCI audit

Needed to protect Website

and meet PCI 6.6

Hosted apps in the cloud

Company’s

Website

Bots

Hackers

Legitimate Users

Scrapers

Comment Spammers

Imperva Incapsula Dashboard

Imperva Incapsula:

Helped retailer meet PCI

Fast, easy deployment


Deployment and Management

Confidential 26


Web Application

Firewall

Management Server (MX)

Users

Web

Servers

Web

Servers

Web Application

Firewall

Web

Servers

Web Application

Firewall

Inline, Non-inline, and Virtual Options

Confidential 27


Non-Inline Deployment Reverse Proxy Deployment

Inline Bridge Deployment

Broadest Deployment Options in Industry

Confidential 28

Switch

SecureSphere

Data Center

SecureSphere

INTERNET

Transparent inline bridge

• Supports full enforcement

• High performance, low latency

• Fail-open interfaces

Transparent and reverse proxy

• High performance for

content modification

• URL rewriting, cookie signing,

SSL termination

Non-inline deployment

• Primarily for monitoring, zero network latency


Scalable Centralized Management

Confidential 29

MX Management Server

• Centralized management for

Web, database and file

products

• Integrated alerting and

reporting

Granular role-based access

• LDAP, Certificate Auth

SecureSphere Operations

Manager

• Manager of Managers

• System-wide health monitoring

MX Server

SecureSphere Operations Manager

MX Server


Real-time Dashboard

Confidential 30

The configurable live dashboard shows…

System utilization

The latest security alerts

And system events


Graphical Security Reports

Confidential 31

Pre-defined reports

Custom reports

Reports created

on demand or emailed

daily, weekly, or monthly

PDF and CSV (Excel)

format

Integration with

3rd party reporting and

SIEM tools


Imperva Web Application Security Products

SecureSphere Web

Application Firewall Accurate, automated protection against

online threats

Reputation Services Near real-time user reputation data

stops bots and automated attacks

Fraud Prevention Block Man-in-the-Browser attacks

and fraudulent devices

Incapsula • Simple, affordable cloud-

based Web application

firewall service

• Ironclad DDoS protection

• Website performance

acceleration

Thre

atR

ad

ar

Incapsula

32 Confidential


Imperva SecureSphere Advantages

Accuracy With multiple layers of defense and correlation

Application Security Knowledge With security research from the Imperva ADC

Centralized Management Unified configuration, monitoring, and reporting

Transparent Deployment Drop-in deployment with bridge, proxy & non-inline

End-to-End Protection For Web applications, databases and files


Known Attackers

Bots

Web Attacks

Undesirable Countries

Web Fraud

App DDoS

Scrapers

Phishing Sites

Comment Spammers

Vulnerabilities

Web Apps

SecureSphere

Complete Protection Against Web Threats

Confidential 34


Q & A

35 Confidential


Thank You

36 Confidential

Imperva SecureSphere Web Application Firewall · © 2013 Imperva, Inc. All rights reserved. Phase...

Documents

Transcript of Imperva SecureSphere Web Application Firewall · © 2013 Imperva, Inc. All rights reserved. Phase...