THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY DATA CENTER WEB APPS NEED MORE THAN IP-BASED DEFENSES AND NEXT-GENERATION FIREWALLS table of contents.... 2.... 4.... 5 A TechTarget White Paper
Does your organization have mission-critical Web applications for e-commerce, online marketing, customer service, financial transactions, product design or supply chain management? If it does, then those applications house customer information, financial data and intellectual property that must be protected. Even a few minutes of unavailability can have a lasting impact on revenue, reputation and productivity. Unfortunately, despite large investments in IT security, Web applications in the data center are not secure. This is because: n Most of today s data center defenses, including firewalls, intrusion prevention systems and anti-malware products, are designed to stop network-level attacks or rely on signatures of known mass attacks. They are not Web apps have become the target effective against application-level of choice for cyber-criminals, attacks targeting individual hacktivists and governmentsponsored hackers who have companies. n Sophisticated attackers, recognizing learned to evade conventional these weaknesses, are shifting data center defenses by targeting their attention to Web applications. application-level vulnerabilities. A recent study found that 73% of data breaches investigated involved SQL injection or remote access attacks, both of which are related to vulnerabilities in Web applications and Web application environments. 1 Even next-generation firewalls are not a solution. Many of their advantages are related to protecting against bad employee behaviors, not application vulnerabilities. Also, application-related features are plagued by false positives, complex rules and slow performance. And most IT organizations recognize this dilemma. In one survey, 62% of IT executives stated that the most serious attacks are Web-based; 61% acknowledged that their existing security technologies don t address the complete threat; and 48% said that current network security technologies do not minimize attacks that bring down Web applications. 2 1 2013 Global Security Report, Trustwave 2 Efficacy of Emerging Network Security Technologies, Ponemon Institute 1
Fortunately, there are two new technologies that can fill these gaps: n Intrusion Deception n Application-level DDoS protection Intrusion Deception Most cybercriminals gravitate to websites that they can penetrate most easily for the largest reward. A new type of security technology leverages this cost-benefit approach by misleading and frustrating attackers so they turn their attention to easier targets. This is called Intrusion Deception or active defense. Let s examine how Intrusion Deception might work against an attacker searching for vulnerable websites: The attacker would typically conduct a reconnaissance by launching scripts to scan hundreds of likely websites and: Active Defense and Intrusion Deception Defined Altering your environment and system responses dynamically based on the activity of potential attackers, to both frustrate attacks and more definitively identify actual attacks. Try to tie up the attacker and gain more information on them.... Pollute your environment with false information designed to frustrate attackers. Rich Mogull, Securosis blog n Attempt to authenticate by trying lists of popular passwords. n Request directory, password and configuration files (for example admin.php and login.php). n Search for vulnerabilities in common plug-ins and applications, such as unpatched versions of Adobe Reader and Acrobat, Oracle Java, WordPress and browsers. n Locate input forms and submit SQL syntax, to identify applications vulnerable to SQL injection attacks. 2
Most conventional security tools, such as firewalls and intrusion prevention systems, will have difficulty distinguishing these probes from legitimate user and system administrator activities. Also, detecting and blocking one probe may just encourage the attacker to hunt for other weaknesses. Eventually, the attacker would find one or more vulnerabilities that could be exploited by utilizing stolen credentials, accessing and exfiltrating files and databases, and planting malware on additional systems. Here is how an Intrusion Deception solution would protect websites against these attacks. It starts by creating hundreds of abuse detection points across the site. These points flag activities that are common to attackers but unusual for legitimate users. When suspicious activities occur, the Intrusion Deception system tracks and records the attacker s actions, and creates a profile that can be used to identify the probe or attack if it reappears on the website. But the really interesting capabilities of Intrusion Deception solutions lie in the abuse response options that you can select to mislead and frustrate the attacker. Responses can include: n Deceiving the attacker by giving the impression that the application is broken, the website is down or the connection is extremely slow. n Injecting CAPTCHA screens into the normal application workflow to prevent botnets from flooding the application with inputs. n Forcing continual logouts and re-authentication. n Redirecting the attacker to a webpage with a We are on to you warning message. n Allowing access to false versions of common files (admin.php and login.php) and seemingly valuable files with false information (for example, an Accounts file with nonexistent account numbers). n Shunting the attacker to a sandbox version of an application, complete with phony data, to observe his method of operation. At the same time, the software alerts administrators early in the attack life cycle and logs all of the activities of the attacker for future study. 3
By operating at the application level, and by deceiving and frustrating attackers rather than merely blocking them, Intrusion Deception technology fundamentally alters the incentives for cybercriminals and others trying to penetrate your website. Application-Level Financially minded cybercriminals are not the only ones who are trying new methods and shifting their attention to application-layer attacks so are hacktivists (ideologically motivated attackers) and other perpetrators of distributed denial-of-service Today s DDoS protection must: (DDoS) attacks. Conventional firewalls and intrusion Block DDoS attacks against prevention systems can t cope with applications as well as the most recent volumetric, or flooding, websites. DDoS attacks. These not only launch Detect and protect from data center-scale volumes of packets, low and slow DDoS attacks. but they also sometimes disguise themselves by spreading across multiple network links or dividing themselves into very small packets. And few security tools can identify new application-level or low and slow DDoS attacks. These produce results similar to volumetric attacks, but with far lower volumes. Most applications include calls that are extremely resource-intensive for example, performing complex querying against a giant database. A DDoS attack that fires off these processes with sufficient frequency can bring an application to its knees while evading firewalls and intrusion prevention systems. To defend today s mission-critical Web applications, DDoS protection technology needs to go beyond applying simple rules and dropping malformed packets. They also need to apply sophisticated techniques, such as: n Assigning sending IP addresses risk ratings, based on multiple behavioral criteria. n Monitoring return traffic for response times and dynamically dropping packets from low-rated IP addresses when performance levels degrade below acceptable thresholds. 4
By observing the behavior and effect of network streams, advanced DDoS protection can cope with both volumetric and low-and-slow attacks. The Business Case Data Center Security Is there a business case for investing in yet more data center security? Every organization has its own risk profile, but the potential costs of inadequate security can be substantial. According to two recent surveys: n The average cost of a data breach in the U.S. in 2012 was $5.5 million, or $194 per record. 3 n The average revenue loss to an e-retailer whose website goes down during the holiday season would be $12.7 million per day, or about $530,000 per hour. 4 Juniper Networks can provide industry-leading Intrusion Deception and DDoS protection technology for much less than the reported cost of one major data breach or one hour of Web application downtime. Key offerings include: Junos WebApp Secure uses the latest Intrusion Deception technology to misdirect and mislead attackers while simultaneously profiling and fingerprinting them. By injecting hundreds of detection points into the code, the attackers own behavior identifies them as malicious, without false positives. Junos WebApp Secure breaks automated hacking tools by inundating them with fake data and rendering the results useless. Once an attack has been detected, an appropriate response from a warning, to requiring a CAPTCHA, to blocking a user or forcing him to log out can be deployed manually or automatically in real time. Junos DDoS Secure delivers a fully automated DDoS protection system for websites and Web applications. It uses a unique, behavior-based approach to DDoS mitigation that provides protection up to 40 Gbps for high-volume attacks as well as advanced low-and-slow application attacks, with minimal false positives. It can be deployed as either a hardware appliance or as a virtual machine in private, public and hybrid cloud environments. 3 2011 Cost of a Data Breach Study, United States, Ponemon Institute 4 National Survey of E-Retailers, McLaughlin & Associates 5
Junos Spotlight Secure is the industry s only cloud-based global attacker intelligence service that identifies individual attackers at the device level and tracks them in a global database. It creates a persistent fingerprint of attacker devices based on more than 200 unique attributes. Compared with currently available reputation feeds that rely on only IP addresses, Junos Spotlight Secure offers more detailed security intelligence about attackers and significantly reduces false positives. Juniper Networks SRX Series Services Gateways integrate with Junos WebApp Secure and the Junos Spotlight Secure global attacker intelligence service to benefit from the latest Intrusion Deception technology and block botnets and large-scale Web attacks. 6