Application Security Rafal Chrusciel Senior Security Operations Analyst, F5 Networks r.chrusciel@f5.com
Agenda Who are we? Anti-Fraud F5 Silverline DDOS protection WAFaaS Threat intelligence & malware research Publications
Who we are?
F5 SOC Organization Vice-President Managers Customer Engagement Managers Architects DDOS Analysts WAF Analysts Anti-Fraud Analysts Malware Analysts Seattle Warsaw Tel-Aviv
F5 SOC Milestones 2013 Versafe acquisition 2014 F5 WebSafe release Seattle SOC launch Defense.net acquisition F5 Silverline Volumetric DDoS release 2015 Warsaw SOC Launch F5 Silverline Web Application Firewall release 2017 F5 Silverline WAF Express release Delivering 3 SOC services 24x7x365 Silverline DDoS mitigation, Silverline WAFaaS, Anti Fraud services
Anti-Fraud
Unlimited Expert Malware Analysis Assess damage, understand attackers and resolve vulnerabilities Specialized researchers and analyst at your service Analyzes any malware submitted including that detected by F5 Web Fraud Protection solutions Investigates and reports on malware including components, attributes, target, controls, purpose, etc.. Discovers indicators of compromise Identifies source and level of sophistication Helps prevent future malware attacks and eliminate risks associated with analyzing malware Always available 24x7 Malware Analysis Team Includes C&C shutdown services, and WebSafe C&C drop zone investigation
BIG-IP Fraud Protection Service Internet Organization s DMZ Web Application Online Users Internet WebSafe Components Via F5 irules Alert Server Cloud or on-premise
Phishing attacks
Malware detection
Citadel malware
External injections detection
Infected computers
Citadel domain availability
F5 Silverline DDOS protection
F5 Silverline proxy mode
F5 Silverline routed mode
Volumetric attacks real threat?
Mirai DNS Water Torture AUTHORITIVE DNS SERVER Unresponsive IOT BOT blabla.victim.com ISP S DNS SERVER AUTHORITIVE DNS SERVER Unresponsive AUTHORITIVE DNS SERVER Unresponsive AUTHORITIVE DNS SERVER Unresponsive
Mirai, Mirai, Mirai Take the focus off protocol attacks?
DDoS Future ImgSource: http://www.business2community.com/big-data/internetthings-iot-going-impact-business-01572401#ect94ktbwj7bzpyh.97 ImgSource: http://vavatech.pl/technologie/mobilne/android
Silverline WAFaaS
BIG-IP Application Security Manager Highest scaling & most flexible solution that provides transparent protection from ever-changing threats Best DAST integration & virtual patching to reduce risks from vulnerabilities Deploys as a full proxy or transparent full proxy (bridge mode) Industries best BOT detection measures Secures against the OWASP top 10 Request made BIG-IP ASM security policy checked Response inspection for errors and leakage of sensitive information Server response generated Secure response delivered BIG-IP ASM security policy checked BIG-IP ASM applies security policy Drop, block or forward request Application attack filtering & inspection SSL, TCP, HTTP DoS mitigation Vulnerable application BIG-IP Local Traffic Manager BIG-IP Application Security Manager
WAF as a Service F5 security experts proactively monitor, and fine-tune policies to protect web applications and data from new and emerging threats. Expert policy setup Policy fine-tuning Proactive alert monitoring False positives tuning Detection tuning Whitelist / Blacklist Set up and monitoring F5 Security Operations Center Expert Policy Setup and Management Availability & Support Active Threat Monitoring
Effective Policy Management Step 1: Deployment Phase Step 2: Building Phase Step 3: Learning Phase Step 4: Enforcement Phase: Step 5: Continual Tuning On Boarding Call is scheduled Set up an account Agree to an implementation plan Create a proxy environment for the application Analyze your applications Create and enable baseline policy for basic top security threats SOC analyzes app for security tuning per customer specifications Live traffic feeds ASM policy builder SOC tunes policies based on resolutions of WAF Violation Logs Virtual Patching via VA/DAST scans Enforcement call scheduled between customer and SOC Maintenance window is established Monitoring for False positives Follow call scheduled to obtain customer sign off Continual tuning based on WAF Violation Logs Resolution Periodic calls with customer Repeat Steps 2-5 as changes are made to the application
WAFaaS proxy mode
24x7 service, expert policy tuning
Web Scraping protection
Silverline WAF Express Predefined policies for different technologies Whitelisting available Low number of false-positives F5 SOC expertise during deployment phase
Threat Intelligence & Malware Research
F5 Threat Monitor
Fraud Targets
C&C Servers
Mobile Trojans
Phishing Sites
Threat Intelligence Statistics
Publications
F5 Newsroom https://f5.com/labs
Solutions for an application world. r.chrusciel@f5.com