How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Transcription

1

2 How WebSafe Can Protect Customers from Web-Based Attacks Mark DiMinico Sr. Mgr., Systems Engineering Security

3 Drivers for Fraud Prevention WebSafe Protection

4 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags

5 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss

6 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014

7 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014

8 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

9 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

10 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

11 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

12 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

13 Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015

14 Security Investments Are Misaligned with Reality Perimeter Security 4

15 Security Investments Are Misaligned with Reality Perimeter Security 25% 90% OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT 4

16 Security Investments Are Misaligned with Reality Perimeter Security Identity & Application Security 25% 90% 72% 10% OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT 4

17 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser HTTP/HTTPS

18 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM Traffic management WAF HIPS Network firewall NIPS DLP HTTP/HTTPS

19 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM Traffic management WAF HIPS Network firewall NIPS DLP HTTP/HTTPS

20 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins

21 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss

22 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss Embedding malware: Browser Keyloggers Framegrabbers Data miners MITB/MITM Phishers/Pharmers

23 Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Hmmmm SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss ZERO TRUST Embedding malware: Browser Keyloggers Framegrabbers Data miners MITB/MITM Phishers/Pharmers

24 F5 s WebSafe Capabilities

25 F5 s WebSafe Capabilities Advanced Phishing Detection Malware Detection Application Layer Encryption Automatic Transaction Detection

26 Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before s are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing Internet Web Application Alerts at each stage of phishing site development

27 Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before s are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing 2. Save copy to computer Internet Web Application Alerts at each stage of phishing site development 1. Copy website

28 Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before s are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing 2. Save copy to computer Internet 3. Upload copy to spoofed site 4. Test spoofed site Web Application Alerts at each stage of phishing site development 1. Copy website

29 Clientless Generic and Targeted Malware Detection Recognize and safeguard against sophisticated threats originating from your clients Analyzes browser for traces of common malware (i.e., Zeus, Citadel, Carberp, etc.) Both signature- and behavior-based approach Detects MitB Detects Remote Access Trojans (RATs) Advanced threats leveraging both MitB and MitM (Dyre) Real-time alerts and visibility

30 Advanced Application-Layer Encryption Secures credentials and other valuable data submitted on web forms Form fields can be obfuscated to impede hacker visibility Sensitive information can be encrypted in real time Data decryption leverages BIG-IP hardware Intercepted information rendered useless to attacker Helps identify stolen credentials ENCRYPTION AS YOU TYPE

31 Transaction Anomaly Detection Identifies non-human client behavior and data manipulation Analyzes user interaction with the browser Mouse movements, button interactions, page read time, etc. Detects automated transactions Ensure integrity of transaction data Received vs. sent data check Provides real-time alerts and visibility

32 Benefits of the F5 Security Operations Centers

33 Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team

34 Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and

35 Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland

36 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers

37 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites

38 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives

39 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports

40 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports Continuous WebSafe deployment validation

41 Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports Continuous WebSafe deployment validation Researching and investigating new global fraud technologies

42 Fraud Protection Service Total Protection In Real Time Full Transparency On All Devices Protect Online Users Prevent Fraud Malware and phishing attacks designed to steal identity, data, and money No endpoint software or user involvement required Cross-device and cross-channel attacks Banks, financial institutions, e- commerce, insurance, social media sites, etc. Help companies protect their customers, data, and reputation WEBSAFE & MOBILESAFE: TOTAL FRAUD PROTECTION

43 Protect Your Apps to Secure Your Data

44 Typical WebSafe Architecture

45 Typical WebSafe Architecture Customer has a network firewall in their DMZ DMZ

46 Typical WebSafe Architecture DMZ BIG-IP AFM Of course this can be a BIG-IP system running AFM

47 Typical WebSafe Architecture A local traffic pool is hosting a web application on several servers DMZ Web Application BIG-IP AFM BIG-IP LTM

48 Typical WebSafe Architecture This can be running within the corporate data center Data Center DMZ Web Application BIG-IP AFM BIG-IP LTM

49 Typical WebSafe Architecture or within a public or private cloud DMZ Web Application BIG-IP AFM BIG-IP LTM

50 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS BIG-IP Fraud Protection Service (FPS) is provisioned along with BIG- IP LTM and an FPS profile is added to the virtual server

51 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS Internet users send requests for the web application

52 Typical WebSafe Architecture DMZ BIG-IP FPS inserts obfuscated JavaScript code into the response Web Application BIG-IP AFM BIG-IP LTM +FPS

53 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS On the BIG-IP system, a pool is configured for the Alert Server Alert Server

54 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS This can either be on premises On Premise SIEM 3rd party risk engine

55 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS F5 SOC On Premise Alerts in the Cloud Alert Server...or in the cloud SIEM 3rd party risk engine

56 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS When malicious activity is detected, BIG-IP FPS sends alerts to the configured pool F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine

57 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS Whether on premises or in the cloud, the Alert Dashboard displays information about all detected malicious activity F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine

58 Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS The F5 SOC does not have any access to on premises Alert Servers F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine

59 Give Feedback Get Points! Add class to your personal schedule. Survey will pop up in Mobile App. Answer the multiple choice. Submit your question to complete. Receive 5 points!

60