We b Ap p A t ac ks U ser / Iden tity 33% 53% Apps And Identities Initial Targets In 86% Of Breaches P hysi ca l 11% Other (VPN, PoS,infra.) 3%
Fix vulnerabilities Stop web attacks Risk & compliance
What is the OWASP Top 10? Top 10 is a broad consensus on the most critical web application security flaws Most are very well known attack vectors that persist Coverage is a mandatory minimum for some regulatory requirements such as PCI DSS
Here s the good news. WAFs don t require access to source code or developers WAFs fix vulnerabilities promptly without maintenance windows WAF Technology WAFs provide coverage for OWASP Top 10 WAF offers protection against application attacks WAFs can be an alternative to code review
Non-API users Self-selected use Tech savvy consumers Innovators Disruptors Enterprise use Business partners Distribution partners Suppliers Product integration Business partners Product ecosystem Tech-savvy consumers Digital experience Mobile Web Open Web APIs B2B APIs Product APIs Internal API Enterprise Applications (custom, off-the-shelf, on premise, cloud) Products
77% of web attacks start from botnets 3 Billion Credentials were reported stolen in 2016 App-layer DDoS has increased by 43%
Traditional WAF: Advanced WAF: OWASP Top 10 OWASP Top 10 Malicious Bots SSL/TLS Inspection SSL/TLS Inspection Credential Attacks Scripting Scripting API Attacks
APPLICATION PROTECTION ADVANCED WAF PROACTIVE BOT DEFENSE APP-LAYER ENCRYPTION ANTI-BOT MOBILE SDK BEHAVIORAL DDOS
Automation Half of Internet traffic comes from bots 30% is malicious web attacks account takeover Vulnerability Scanning Web Scraping Denial of Service
Simple bots Google Impersonating Bots Bots with cookies / JS support Bots that simulate browsers
target of the same automated attacks lack mature security capabilities needs mobile specific security
Figure Credit: Verizon 2017 Data Breach Investigations Report
Use Case - Account Takeover Anti-bot Mobile SDK ATO Protection Mobile Users credentials Authentication Protection Credential Encryption Hacker Bots Data Center Interconnect Cloud Problem: Criminals are performing account takeover by stealing account credential via malware Solution: App-level credential encryption Anti-bot mobile SDK Credential Stuffing protection Brute force protection Benefits: Prevent the use of dumped credential databases (credential stuffing) Prevent the theft of user credentials (credential harvesting) Protect mobile apps - Identify and pass only the desired mobile applications.
DDoS 101 The Targets Volumetric Attacks on Bandwidth Attacks on Server stack. Low and Slow. Attacks on RAM. Firewall state tables. Attacks on crypto capacity. SSL floods. Attacks on CPU. IPS Signature Scanning. Targeted Attacks. Bugs and flaws in stack. F5 Networks, Inc 22
Use Case - DDoS Attacks Users Hacker Bots Silverline Cloud Services Problem: DDOS attacks are growing, but your resources are not DDoS mitigation time is slow due to manual initiation and difficult policy tuning Silverline Always On under attack Layer 3 DDOS Protection DDoS Hybrid Defender On-Premises Users Core DDOS Managed Service Layer 7 DDOS Protection Advanced WAF Option: consolidate into a single layer 3-7 solution Communication (signaling) Solution: Always-on protection with on-premises hardware Mitigate with layered defense strategy and cloud services F5 SOC monitoring with portal Protect against all attacks with granular control Eliminate time-consuming manual tuning with machine learning Benefits: On-premise hardware acts immediately and automatically to mitigate attacks. Silverline cloud services minimizes the risk of larger attacks crippling your site or applications
F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Anti-bot Mobile SDK F5 Advanced WAF Defend against bots Proactive bot defense Anti-bot mobile SDK Client and server monitoring Mobile Users credentials Bot Mitigation Credential Protection App-Layer DoS Hacker Bots Prevent Account Takeover App-level encryption Mobile app tampering Brute Force protection Key Benefits: Protects Web and mobile apps from exploits, bots, theft, app-layer DoS Prevent malware from stealing data and credentials Prevent Brute Force attacks that use stolen credentials Eliminate time-consuming manual tuning for App-layer DoS protection Protect apps from DoS Auto-tuning Behavioral analytics Dynamic signatures
THE CHANGING DYNAMICS OF APPLICATION SECURITY Maximizing Value From Your WAF Web Application Firewall Proactive Bot Defense Anti-Bot Mobile SDK Vulnerabilities & Exploits Automated Attacks Mobile Applications DataSafe Encryption Behavioral Analytics API Protocol Security Credential & Data Theft Low & Slow DDoS API Vulnerabilities Threat Intelligence Feeds Credential Stuffing Threat Campaigns! Device Identification
Advanced WAF Bot Defense DataSafe Encryption Behavioral DoS Anti-Bot Mobile Solution VIPRION Standalone iseries VE BIG-IP LTM/GBB/ASM Upgrade DataSafe Add-on Cloud AWS Azure Google SDK Android Apple Enterprise BYOL Per-App-VE Licensing Cloud Marketplace Cloud Licensing Program Add-on Professional Services Fusion Deployment Advanced WAF Installation for VIPRION Advanced WAF Installation for BIG-IP Advanced WAF LaunchPad (Upgrade only) Advanced WAF Installation for BIG-IP Appdome Managed Services F5 Silverline WAF Managed WAF Express DDoS Protection F5 Managed Rules for AWS WAF WebSafe F5 Fraud Services MobileSafe Threat Intel IP Intelligence Credential Stuffing Threat Campaigns Device Identification Complementary Solutions DDoS Hybrid Defender Access Policy Manager BIG-IQ
APPDEV INLINE HOST MITIGATE CODING WAF (W EB APPLICATION FIREWALL) ENTERPRISE PROTECTION REGULATORY COMPLIANCE VA/ DAST INTEGRATIONS MOST EFFECTIVE OWASP 10 VOLUMETRIC MITIGATION RASP (Run-tim e Application Self Protection) APP PROTECTION INSTANCE POST WAF, IPS, IDS INSIDE APP OR SERVER APP LANGUAGE DEPENDENT UP TO 10% PERF. REDUCTION BUG FIXES IPS BOT PROTECTION VULNERABILTY ASSESMENT SAST (STATIC APPLICATION SECURITY TESTING) DAST (DYNAMIC APPLICATION SECURITY TESTING) IAST (INTERACTIVE APPLICATION SECURITY TESTING) DEVELOPMENT PRODUCTION