Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Security Automation: Spend Less Time Securing your Applications

650 views

Published on

As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.

Published in: Technology
  • Be the first to comment

Web Security Automation: Spend Less Time Securing your Applications

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dean Samuels Manager, Solutions Architecture Hong Kong & Taiwan 19th January 2016 Security Automation Using AWS WAF: Spend Less Time Securing Your Applications
  2. 2. What to expect from this session Introduction to AWS WAF AWS WAF 101
  3. 3. What to expect from this session Introduction to AWS WAF AWS WAF security automation strategies AWS WAF 101
  4. 4. What to expect from this session Introduction to AWS WAF AWS WAF security automation strategies AWS WAF 101 5 automation strategies 1. Provisioning WAF 2. Deploying WAF 3. Importing rules 4. Automated incident response 5. Learning-based protections
  5. 5. What to expect from this session AWS WAF security automation strategies AWS WAF 101 Demo and getting started Introduction to AWS WAF
  6. 6. What is AWS WAF AWS WAF 101
  7. 7. What is AWS WAF
  8. 8. Why AWS WAF? Application vulnerabilities Good users Bad guys Web server Database Exploit code AWS WAF
  9. 9. Why AWS WAF? Content abuse: Bots and scrapers Good users Bad guys Web server Database AWS WAF
  10. 10. Why AWS WAF? Application DDOS Good users Bad guys Web server Database AWS WAF
  11. 11. AWS WAF: Rules in action Monitor security events
  12. 12. AWS WAF: Integrated with AWS Amazon CloudFront Global content delivery network to accelerate websites, API, video content, and other web assets
  13. 13. AWS WAF: Integrated with AWS Amazon CloudFront Application Load Balancer Load balancer with advanced request routing, and support for microservices and container-based applications Global content delivery network to accelerate websites, API, video content, and other web assets Announcing today..
  14. 14. What to expect from this session Introduction to AWS WAF AWS WAF security automation strategies AWS WAF 101 Demo and getting started
  15. 15. Why security automation Spend less time securing your applications Instead, focus on building applications
  16. 16. We built a WAF that has… Customizable and flexible rules APIs: Integration with DevOps …allowing several WAF automation strategies Quick rule update
  17. 17. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Automated incident response Learning-based protections … to spend less time securing applications
  18. 18. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Automated incident response Learning-based protections
  19. 19. Provisioning AWS WAF Step 1 – Create web ACL
  20. 20. Provisioning AWS WAF Rule 1: Whitelist [ALLOW] Rule 2: Blacklist [BLOCK] Rule 3: Common protection [BLOCK] Step 1 – Create web ACL Step 2 – Add rule
  21. 21. Provisioning AWS WAF IP whitelist SQL injection URL match Rule 1: Whitelist [ALLOW] IP blacklist Rule 2: Blacklist [BLOCK] Rule 3: Common protection [BLOCK] Step 1 – Create web ACL Step 2 – Add rule Step 3: Add condition
  22. 22. Provisioning AWS WAF IP Whitelist SQL injection URL match Rule 1: Whitelist [ALLOW] IP Blacklist Rule 2: Blacklist [BLOCK] Rule 3: Common protection [BLOCK] Step 1 – Create web ACL Step 2 – Add rule Step 3: Add condition Step 4: Associate Amazon CloudFront ALB
  23. 23. Provisioning AWS WAF: Reuse Spend less time by reusing WAF rules
  24. 24. Provisioning AWS WAF: Reuse IP whitelist internal IP SQL injection URL match Rule 1: Whitelist [ALLOW] IP blacklist known bad Rule 2: Blacklist [BLOCK] Rule 3: Common protection #1 [BLOCK] Web ACL #1 ALB 1 (dev env) Rule 4: Common protection #2 [BLOCK] XSS match Web ACL #2ALB 2 (prod env) Spend less time by reusing WAF rules
  25. 25. Provisioning AWS WAF: Reuse IP whitelist internal IP SQL injection URL match Rule 1: Whitelist [ALLOW] IP blacklist known bad Rule 2: Blacklist [BLOCK] Rule 3: Common protection #1 [BLOCK] Web ACL #1 ALB 1 (dev env) Rule 4: Common protection #2 [BLOCK] XSS match Web ACL #2ALB 2 (prod env) Spend less time by reusing WAF rules ALB 3 (new app)
  26. 26. Provisioning AWS WAF Quickly fix vulnerabilities Example: {CVE-2016-538} • Server-side web applications that utilize the HTTP_Proxy header as an environment variable • Attacker could intercept connections between a client and server. Quick solution: Use AWS WAF to configure a rule to detect and block web requests that contain a proxy header.
  27. 27. Provisioning AWS WAF IP whitelist internal IP SQL injection URL match Rule 1: Whitelist [ALLOW] IP blacklist known bad Rule 2: Blacklist [BLOCK] Rule 3: Common protection #1 [BLOCK] Web ACL #1 ALB 1 (dev env) Rule 4: Common protection #2 [BLOCK] XSS match Web ACL #2ALB 2 (prod env) Spend less time by reusing WAF rules ALB 3 (new app)
  28. 28. Provisioning AWS WAF IP whitelist internal IP SQL injection URL match Rule 1: Whitelist [ALLOW] IP blacklist known bad Rule 2: Blacklist [BLOCK] Rule 3: Common protection #1 [BLOCK] Web ACL #1 ALB 1 (dev env) Rule 4: Common protection #2 [BLOCK] XSS match Web ACL #2ALB 2 (prod env) Spend less time by reusing WAF rules ALB 3 (new app) Rule 5: CVE-2016-538 [BLOCK] Header match
  29. 29. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Automated incident response Learning-based protections
  30. 30. Configuring AWS WAF rules Preconfigured AWS CloudFormation templates for common protection CloudFormation template AWS WAF Configuration
  31. 31. Configuring AWS WAF: Common protection Enable common protections  SQL injection  Cross-site scripting
  32. 32. Preconfigured protections: Customer example Need quick setup and common protections like SQLi, XSS “Overall, the entire stack so far has been extremely helpful. I truly would say that this stack should almost be a standard built-in for anyone looking to use WAF as I cannot begin to tell you how useful and truly effective it is.” Award winning Health & Beauty eTailer
  33. 33. Configuring AWS WAF: Common protection Demo
  34. 34. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Automated incident response Learning-based protections
  35. 35. Importing AWS WAF rules Import open source IP reputation lists
  36. 36. Importing AWS WAF rules Open source IP reputation lists
  37. 37. Importing AWS WAF rules
  38. 38. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Automated incident response Learning-based protections
  39. 39. Why security automation Traditional incident response Good users Bad guys Server AWS WAF Logs Threat analysis Notification Security engineer
  40. 40. Why security automation Automated incident response Good users Bad guys Server AWS WAF Logs Threat analysis Rule updater Notification Security engineer
  41. 41. Security automation: Use cases HTTP floods Scans and probes Attackers Use cases that static rules cannot protect effectively
  42. 42. Automated incident response: Customer example
  43. 43. MapBox uses WAF to protect from bots Good users Bad guys Serve r AWS WAF Logs Threat analysis Rule updater
  44. 44. AWS WAF security automation strategies Provisioning WAF Configuring rules Importing rules Security Automation Learning-based protections
  45. 45. What is machine learning Machine learning is the technology that automatically finds patterns in your data and uses them to make predictions for new data points as they become available Your data + machine learning = smart applications
  46. 46. Amazon Machine Learning Easy-to-use, managed machine learning service built for developers Robust, powerful machine learning technology based on Amazon’s internal systems Create models using your data already stored in the AWS Cloud Deploy models to production in seconds
  47. 47. AWS WAF with Amazon Machine Learning A PoC on learning-based WAF
  48. 48. AWS WAF with Amazon Machine Learning The problem: Detect requests from domain generation algorithms Solution: Use referrer header to detect bad domains visiting my website based on machine learning
  49. 49. AWS WAF with Amazon Machine Learning 1. Data preparation – Feature engineering 2. Train model based on known good and bad domains 3. Evaluate using real data
  50. 50. AWS WAF with Amazon Machine Learning 1. Data preparation – Feature engineering
  51. 51. AWS WAF with Amazon Machine Learning 2. Train model based on known good and bad domains Good domains: Alexa 10,000 Bad domains: Known phishing domains
  52. 52. AWS WAF with Amazon Machine Learning 3. Evaluate using real data Use raw logs from CloudFront logs #Version: 1.0 #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x- edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result- type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200 www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304 www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1
  53. 53. AWS WAF with Amazon Machine Learning
  54. 54. AWS WAF with Amazon Machine Learning Demo
  55. 55. AWS WAF with Amazon Machine Learning Category Result Accuracy 98% Recall true positive rate 78% False positive rate 1% True negative rate 99% How good is our machine learning model
  56. 56. Summary Spend less time securing your applications Instead, focus on building applications Provisioning WAF Reuse rules Configuring rules Configure common protections in minutes using CloudFormation templates Importing rules Automated reputation list from external sources Automated incident response Advanced application-specific firewall rules Learning-based protections Smart adaptive protections using Amazon ML
  57. 57. Remember to complete your evaluations!
  58. 58. Thank you! Get started with AWS WAF: https://console.aws.amazon.com/waf

×