How WebSafe Can Protect Customers from Web-Based Attacks Mark DiMinico Sr. Mgr., Systems Engineering Security
Drivers for Fraud Prevention WebSafe Protection
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Drivers for Fraud Prevention WebSafe Protection Three Never-Ending Battles 1. Humans will always make mistakes 2. System and application vulnerabilities continue to emerge 3. Malware detection typically lags Social Engineering Phishing Vulnerability Exploit Malware Infection Fraud Scheme Execution $ Money Loss SECURITY Gameover ZeuS adds nasty trick Crypto to slip through firewalls By Richard Chirgwin, 4 Feb 2014 Nearly half of internet users encountered malware in the last year Sep 16, 2015
Security Investments Are Misaligned with Reality Perimeter Security 4
Security Investments Are Misaligned with Reality Perimeter Security 25% 90% OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT 4
Security Investments Are Misaligned with Reality Perimeter Security Identity & Application Security 25% 90% 72% 10% OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT OF ATTACKS ARE FOCUSED HERE OF SECURITY INVESTMENT 4
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser HTTP/HTTPS
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM Traffic management WAF HIPS Network firewall NIPS DLP HTTP/HTTPS
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM Traffic management WAF HIPS Network firewall NIPS DLP HTTP/HTTPS
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Customer Browser SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss Embedding malware: Browser Keyloggers Framegrabbers Data miners MITB/MITM Phishers/Pharmers
Browser Is the Weakest Link Endpoint risks to Data in Use Secured Data Center Hmmmm SIEM WAF HIPS Network firewall Traffic management NIPS DLP HTTP/HTTPS Leveraging browser application behavior Caching content, disk cookies, history Add-ons, plug-ins Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss ZERO TRUST Embedding malware: Browser Keyloggers Framegrabbers Data miners MITB/MITM Phishers/Pharmers
F5 s WebSafe Capabilities
F5 s WebSafe Capabilities Advanced Phishing Detection Malware Detection Application Layer Encryption Automatic Transaction Detection
Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before emails are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing Internet Web Application Alerts at each stage of phishing site development
Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before emails are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing 2. Save copy to computer Internet Web Application Alerts at each stage of phishing site development 1. Copy website
Advanced Phishing Attack Detection and Prevention Identifies phishing threats early on and stops attacks before emails are sent Alerts of extensive site copying or scanning Alerts on uploads to a hosting server or company Alerts upon login and testing of phishing site Logging of credentials used at phishing site Enables shuts down of phishing server sites during testing 2. Save copy to computer Internet 3. Upload copy to spoofed site 4. Test spoofed site Web Application Alerts at each stage of phishing site development 1. Copy website
Clientless Generic and Targeted Malware Detection Recognize and safeguard against sophisticated threats originating from your clients Analyzes browser for traces of common malware (i.e., Zeus, Citadel, Carberp, etc.) Both signature- and behavior-based approach Detects MitB Detects Remote Access Trojans (RATs) Advanced threats leveraging both MitB and MitM (Dyre) Real-time alerts and visibility
Advanced Application-Layer Encryption Secures credentials and other valuable data submitted on web forms Form fields can be obfuscated to impede hacker visibility Sensitive information can be encrypted in real time Data decryption leverages BIG-IP hardware Intercepted information rendered useless to attacker Helps identify stolen credentials ENCRYPTION AS YOU TYPE
Transaction Anomaly Detection Identifies non-human client behavior and data manipulation Analyzes user interaction with the browser Mouse movements, button interactions, page read time, etc. Detects automated transactions Ensure integrity of transaction data Received vs. sent data check Provides real-time alerts and visibility
Benefits of the F5 Security Operations Centers
Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team
Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email
Benefits of the F5 Security Operations Centers Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports Continuous WebSafe deployment validation
Benefits of the F5 Security Operations Centers $ Fraud analysis that extends a customer s security team Real-time alerts activated by phone, SMS, and email SOCs currently in Seattle, WA, and Warsaw, Poland SOC services are complimentary for WebSafe customers Optional web site takedown for phishing sites Filtering alerts by severity and ignoring false positives Provide detailed incident reports Continuous WebSafe deployment validation Researching and investigating new global fraud technologies
Fraud Protection Service Total Protection In Real Time Full Transparency On All Devices Protect Online Users Prevent Fraud Malware and phishing attacks designed to steal identity, data, and money No endpoint software or user involvement required Cross-device and cross-channel attacks Banks, financial institutions, e- commerce, insurance, social media sites, etc. Help companies protect their customers, data, and reputation WEBSAFE & MOBILESAFE: TOTAL FRAUD PROTECTION
Protect Your Apps to Secure Your Data
Typical WebSafe Architecture
Typical WebSafe Architecture Customer has a network firewall in their DMZ DMZ
Typical WebSafe Architecture DMZ BIG-IP AFM Of course this can be a BIG-IP system running AFM
Typical WebSafe Architecture A local traffic pool is hosting a web application on several servers DMZ Web Application BIG-IP AFM BIG-IP LTM
Typical WebSafe Architecture This can be running within the corporate data center Data Center DMZ Web Application BIG-IP AFM BIG-IP LTM
Typical WebSafe Architecture or within a public or private cloud DMZ Web Application BIG-IP AFM BIG-IP LTM
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS BIG-IP Fraud Protection Service (FPS) is provisioned along with BIG- IP LTM and an FPS profile is added to the virtual server
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS Internet users send requests for the web application
Typical WebSafe Architecture DMZ BIG-IP FPS inserts obfuscated JavaScript code into the response Web Application BIG-IP AFM BIG-IP LTM +FPS
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS On the BIG-IP system, a pool is configured for the Alert Server Alert Server
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS This can either be on premises On Premise SIEM 3rd party risk engine
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS F5 SOC On Premise Alerts in the Cloud Alert Server...or in the cloud SIEM 3rd party risk engine
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS When malicious activity is detected, BIG-IP FPS sends alerts to the configured pool F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS Whether on premises or in the cloud, the Alert Dashboard displays information about all detected malicious activity F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine
Typical WebSafe Architecture DMZ Web Application BIG-IP AFM BIG-IP LTM +FPS The F5 SOC does not have any access to on premises Alert Servers F5 SOC On Premise Alerts in the Cloud Alert Server SIEM 3rd party risk engine
Give Feedback Get Points! Add class to your personal schedule. Survey will pop up in Mobile App. Answer the multiple choice. Submit your question to complete. Receive 5 points!