extend enterprise application-level security to your aws environment
TRANSCRIPT
© 2015 Imperva, Inc. All rights reserved.
Application Security in Your AWS Environment Chris Grove, Director of Solutions Architecture, Imperva Matt Yanchyshyn, Sr. Manager Solutions Architecture, AWS June 2015
© 2015 Imperva, Inc. All rights reserved.
Speakers
Confidential 2
Matt Yanchyshyn Sr. Manager Solutions Architecture, AWS
Chris Grove Director of Solutions Architecture, Imperva
© 2015 Imperva, Inc. All rights reserved.
Today’s Threat Landscape 1
Confidential 3
© 2015 Imperva, Inc. All rights reserved.
Hackers Exploiting Same Old Vulnerabilities
Confidential 4
“99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”
Source: Verizon 2015 Data Breach Investigation Report
© 2015 Imperva, Inc. All rights reserved.
The Spending Disconnect
Confidential
90’s The Threats Have Changed
Script Kiddies
Threats Security Spend
“Digital Graffiti”
Backdoors
Anti-virus
Firewall / VPN
Content Filtering
IDS / IPS
Viruses
5
© 2015 Imperva, Inc. All rights reserved.
The Spending Disconnect
Confidential
90’s
Script Kiddies
Threats Security Spend
“Digital Graffiti”
Backdoors
Anti-virus
Firewall / VPN
Content Filtering
IDS / IPS
Viruses
Security Spending Hasn’t
Threats Security Spend
Industrialized Hackers
Organized Criminals
Cyber Espionage
Anti-virus
Firewall / VPN
Secure Email/Web
IPS
2015 DDoS
The Threats Have Changed
6
© 2015 Imperva, Inc. All rights reserved.
Amazon Web Services Security 2
Confidential 7
Security is Job Zero at AWS
Confidential 8
Familiar Security Model
Validated and driven by customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is a Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones Edge Locations
Network Security
Server Security
Customer applications and content You define controls IN the Cloud
AWS handles the security OF the Cloud
Data Security
Access Control
9
AWS Security Tools and Features
Confidential 10
Customer applications & content
Oversight & Monitoring
Network Security
Server Security
Data Security
Access Control
AWS and its partners offer over 700 security services, tools and features
Mirror the familiar controls you deploy within your on-prem environments
Enforce Consistent Security on Servers
Confidential 11
EC2
Template catalog
Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure and harden EC2 instances to your own specs
Use host-based protection software
Manage administrative users
Enforce separation of duties and least privilege
Connect to your existing services, e.g. SIEM, patching
Create Flexible, Resilient, Segmented Environments
Confidential 12
Your organization
Project Teams Marketing
Business Units Reporting
Digital / Websites
Dev / Test Redshift EMR
Analytics
Internal Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/ Backup
Encrypt Your Sensitive Information
• Native encryption across services – S3, EBC, RDS, Redshift
– End to end SSL/TLS
• Scalable Key Management – AWS Key Management Services (KMS): scalable, low cost key management
– AWS CloudHSM: hardware-based, high-assurance key generation, storage and
management
13
AWS Identity and Access Management
Control access and segregate duties Control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with existing MS Active Directory using federation and SSO
AWS account owner
Network management Security management Server management Storage management
14
AWS CloudTrail
Consistent log visibility Full visibility of your AWS environment • AWS CloudTrail records API calls and logs to your S3
buckets, no matter how the API calls were made
Who did what and when and from where • CloudTrail supports most major AWS services • Easily Aggregate all log information
15
Security at Amazon Web Services
• Security is job zero for AWS
• AWS takes care of the security OF the Cloud
• You define your controls IN the Cloud
• Compliance is more cost effective in AWS • You can take advantage of over 700 services, tools and features from AWS
and partners
• Partner offerings extend and enhance AWS security
16
© 2015 Imperva, Inc. All rights reserved.
Protecting Against Application-level Attacks 2
Confidential 17
Confidential 18
96% of applications
have vulnerabilities Source: Cenzic
© 2015 Imperva, Inc. All rights reserved.
OWASP Top 10 2013
19
© 2015 Imperva, Inc. All rights reserved.
Superior Protection Versus Next-Generation Firewalls
OWASP Top 10 (for 2013)
20
© 2015 Imperva, Inc. All rights reserved.
ACCURACY
Defenses Required to Protect Web Applications
21
© 2015 Imperva, Inc. All rights reserved.
Defenses Required to Protect Web Applications
22
Cor
rela
ted
Atta
ck V
alid
atio
n
Virtu
al P
atch
ing
DD
oS P
rote
ctio
n Dynamic Profiling
Attack Signatures
HTTP Protocol Validation
Cookie Protection
Technical Attack Protection
Web Fraud Detection
IP Geolocation Fraud Prevention
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
Business Logic Attack Protection
© 2015 Imperva, Inc. All rights reserved.
By analyzing traffic, SecureSphere automatically learns…
Directories
URLs
Imperva SecureSphere: Dynamic Profiling™
Confidential 23
© 2015 Imperva, Inc. All rights reserved.
By analyzing traffic, SecureSphere automatically learns…
Directories
URLs
Parameters Expected user
input
So it can alert on or block abnormal requests
Imperva SecureSphere: Dynamic Profiling™
Confidential 24
© 2015 Imperva, Inc. All rights reserved.
Imperva SecureSphere: Correlated Attack Validation™
Confidential 25
Confidential 26
Industrialized Hacking gives hackers extreme leverage
90% of security events
from known bad actors Source: Imperva Customers
90% 60%+ of security events
from known bad actors of website traffic
is non-human Source: Imperva Source: Imperva Customers
© 2015 Imperva, Inc. All rights reserved.
SecureSphere ThreatRadar
Confidential 29
• Global Threat Intelligence Service
• Globally crowdsourced
• Curated by Imperva ADC
• Adds “gods-eye” context of threat landscape to WAF
© 2015 Imperva, Inc. All rights reserved.
SecureSphere ThreatRadar
Confidential 30
More productive, more focused security engineering team
Cut infrastructure costs Demonstrate better
security posture
© 2015 Imperva, Inc. All rights reserved.
Globally Crowdsourced
Confidential 31
Malicious IPs Phishing URLs
Anonymous Proxy
ToR IPs
Comment Spam IPs
RFI IP Forensics
SQLi IPs
Scanner IPs
Scraping BOTS
Credit Card Cycling
Registration BOTS
© 2015 Imperva, Inc. All rights reserved.
Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
A LEADER Gartner Magic Quadrant for Web Application Firewalls
32
© 2015 Imperva, Inc. All rights reserved.
Easy Deployment on AWS 4
Confidential 33
© 2015 Imperva, Inc. All rights reserved.
Customer-facing Applications Moving to IaaS or PaaS providers Employee-facing Applications
are SaaS and Cloud Apps
Traditional Data Center
Imperva Approach to the Cloud
Confidential
“Internal” use
“External” use “External”
use
34
© 2015 Imperva, Inc. All rights reserved.
AWS Validated Reference Architecture
Elastic Load Balancing
Elastic Load Balancing
Availability Zone
Auto Scaling Group
WAF EC2 Instances
Availability Zone
Auto Scaling Group
Web Application EC2 Instances
Internet
virtual private cloud
AWS Management Console user
S3 S3
AWS + SecureSphere + SkyFence + Incapsula
35
© 2015 Imperva, Inc. All rights reserved.
Imperva SecureSphere Leverages Key AWS Features
Key Capabilities § Elastic Load Balancing load balances traffic and supports Auto-Scaling
§ CloudFormation streamlines deployment
§ CloudWatch monitors SecureSphere instances
Amazon ELB
Amazon ELB
Web servers
Amazon ELB
Web servers
Scaling Group
Availability Zone 1
Availability Zone 2
36
© 2015 Imperva, Inc. All rights reserved.
Major Digital Media and Online Gaming Company
• Company anticipated a massive unknown volume of traffic to the online store and the servers supporting the gaming console functionality
• Online store was hosted in AWS with no protection, preventing launch before Xmas
• Once the cloud was exposed to the world (product launch), the hackers and attacks would start immediately
• Company had previously been breached
• Imperva technology preview 6 months before GA
• Deployment was scaled well beyond expectations – 1 million units sold Thanksgiving weekend, 4
million by Christmas – Originally sized at 4-8 instances, eventually
scaled to 120 during holidays – Time-to-deploy: from many weeks/years to
minutes/hours (no tickets/approvals or waiting for services)
– AWS environment managed by 2 FTE, instead of 4+ in physical data center
Confidential 37
Company successfully rolls out highly-anticipated new product
© 2015 Imperva, Inc. All rights reserved.
More Information – www.imperva.com
• AWS Test Drive • AWS Validated Reference Architecture • 30 Days of AWS WAF for free • Demo Skyfence and Incapsula
5
Confidential 38