extend enterprise application-level security to your aws environment

© 2015 Imperva, Inc. All rights reserved.

Application Security in Your AWS Environment Chris Grove, Director of Solutions Architecture, Imperva Matt Yanchyshyn, Sr. Manager Solutions Architecture, AWS June 2015


Speakers

Confidential 2

Matt Yanchyshyn Sr. Manager Solutions Architecture, AWS

Chris Grove Director of Solutions Architecture, Imperva


Today’s Threat Landscape 1

Confidential 3


Hackers Exploiting Same Old Vulnerabilities

Confidential 4

“99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”

Source: Verizon 2015 Data Breach Investigation Report


The Spending Disconnect

Confidential

90’s The Threats Have Changed

Script Kiddies

Threats Security Spend

“Digital Graffiti”

Backdoors

Anti-virus

Firewall / VPN

Content Filtering

IDS / IPS

Viruses

5


The Spending Disconnect

Confidential

90’s

Script Kiddies


“Digital Graffiti”

Backdoors

Anti-virus

Firewall / VPN

Content Filtering

IDS / IPS

Viruses

Security Spending Hasn’t


Industrialized Hackers

Organized Criminals

Cyber Espionage

Anti-virus

Firewall / VPN

Secure Email/Web

IPS

2015 DDoS

The Threats Have Changed

6


Amazon Web Services Security 2

Confidential 7

Security is Job Zero at AWS

Confidential 8

Familiar Security Model

Validated and driven by customers’ security experts

Benefits all customers

PEOPLE & PROCESS

SYSTEM

NETWORK

PHYSICAL

Security is a Shared Responsibility

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones Edge Locations

Network Security

Server Security

Customer applications and content You define controls IN the Cloud

AWS handles the security OF the Cloud

Data Security

Access Control

9

AWS Security Tools and Features

Confidential 10

Customer applications & content

Oversight & Monitoring

Network Security

Server Security

Data Security

Access Control

AWS and its partners offer over 700 security services, tools and features

Mirror the familiar controls you deploy within your on-prem environments

Enforce Consistent Security on Servers

Confidential 11

EC2

Template catalog

Running instance Your instance

Hardening

Audit and logging

Vulnerability management

Malware and HIPS

Whitelisting and integrity

User administration

Operating system

Configure and harden EC2 instances to your own specs

Use host-based protection software

Manage administrative users

Enforce separation of duties and least privilege

Connect to your existing services, e.g. SIEM, patching

Create Flexible, Resilient, Segmented Environments

Confidential 12

Your organization

Project Teams Marketing

Business Units Reporting

Digital / Websites

Dev / Test Redshift EMR

Analytics

Internal Enterprise

Apps

Amazon S3

Amazon Glacier

Storage/ Backup

Encrypt Your Sensitive Information

• Native encryption across services –  S3, EBC, RDS, Redshift

–  End to end SSL/TLS

• Scalable Key Management –  AWS Key Management Services (KMS): scalable, low cost key management

–  AWS CloudHSM: hardware-based, high-assurance key generation, storage and

management

13

AWS Identity and Access Management

Control access and segregate duties Control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with existing MS Active Directory using federation and SSO

AWS account owner

Network management Security management Server management Storage management

14

AWS CloudTrail

Consistent log visibility Full visibility of your AWS environment •  AWS CloudTrail records API calls and logs to your S3

buckets, no matter how the API calls were made

Who did what and when and from where •  CloudTrail supports most major AWS services •  Easily Aggregate all log information

15

Security at Amazon Web Services

•  Security is job zero for AWS

•  AWS takes care of the security OF the Cloud

•  You define your controls IN the Cloud

•  Compliance is more cost effective in AWS •  You can take advantage of over 700 services, tools and features from AWS

and partners

•  Partner offerings extend and enhance AWS security

16


Protecting Against Application-level Attacks 2

Confidential 17

Confidential 18

96% of applications

have vulnerabilities Source: Cenzic


OWASP Top 10 2013

19


Superior Protection Versus Next-Generation Firewalls

OWASP Top 10 (for 2013)

20


ACCURACY

Defenses Required to Protect Web Applications

21


Defenses Required to Protect Web Applications

22

Cor

rela

ted

Atta

ck V

alid

atio

n

Virtu

al P

atch

ing

DD

oS P

rote

ctio

n Dynamic Profiling

Attack Signatures

HTTP Protocol Validation

Cookie Protection

Technical Attack Protection

Web Fraud Detection

IP Geolocation Fraud Prevention

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies

Business Logic Attack Protection


By analyzing traffic, SecureSphere automatically learns…

Directories

URLs

Imperva SecureSphere: Dynamic Profiling™

Confidential 23


By analyzing traffic, SecureSphere automatically learns…

Directories

URLs

Parameters Expected user

input

So it can alert on or block abnormal requests

Imperva SecureSphere: Dynamic Profiling™

Confidential 24


Imperva SecureSphere: Correlated Attack Validation™

Confidential 25

Confidential 26

Industrialized Hacking gives hackers extreme leverage

90% of security events

from known bad actors Source: Imperva Customers

90% 60%+ of security events

from known bad actors of website traffic

is non-human Source: Imperva Source: Imperva Customers


SecureSphere ThreatRadar

Confidential 29

•  Global Threat Intelligence Service

•  Globally crowdsourced

•  Curated by Imperva ADC

•  Adds “gods-eye” context of threat landscape to WAF


SecureSphere ThreatRadar

Confidential 30

More productive, more focused security engineering team

Cut infrastructure costs Demonstrate better

security posture


Globally Crowdsourced

Confidential 31

Malicious IPs Phishing URLs

Anonymous Proxy

ToR IPs

Comment Spam IPs

RFI IP Forensics

SQLi IPs

Scanner IPs

Scraping BOTS

Credit Card Cycling

Registration BOTS


Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

A LEADER Gartner Magic Quadrant for Web Application Firewalls

32


Easy Deployment on AWS 4

Confidential 33


Customer-facing Applications Moving to IaaS or PaaS providers Employee-facing Applications

are SaaS and Cloud Apps

Traditional Data Center

Imperva Approach to the Cloud

Confidential

“Internal” use

“External” use “External”

use

34


AWS Validated Reference Architecture

Elastic Load Balancing

Elastic Load Balancing

Availability Zone

Auto Scaling Group

WAF EC2 Instances

Availability Zone

Auto Scaling Group

Web Application EC2 Instances

Internet

virtual private cloud

AWS Management Console user

S3 S3

AWS + SecureSphere + SkyFence + Incapsula

35


Imperva SecureSphere Leverages Key AWS Features

Key Capabilities §  Elastic Load Balancing load balances traffic and supports Auto-Scaling

§  CloudFormation streamlines deployment

§  CloudWatch monitors SecureSphere instances

Amazon ELB

Amazon ELB

Web servers

Amazon ELB

Web servers

Scaling Group

Availability Zone 1

Availability Zone 2

36


Major Digital Media and Online Gaming Company

•  Company anticipated a massive unknown volume of traffic to the online store and the servers supporting the gaming console functionality

•  Online store was hosted in AWS with no protection, preventing launch before Xmas

•  Once the cloud was exposed to the world (product launch), the hackers and attacks would start immediately

•  Company had previously been breached

•  Imperva technology preview 6 months before GA

•  Deployment was scaled well beyond expectations –  1 million units sold Thanksgiving weekend, 4

million by Christmas –  Originally sized at 4-8 instances, eventually

scaled to 120 during holidays –  Time-to-deploy: from many weeks/years to

minutes/hours (no tickets/approvals or waiting for services)

–  AWS environment managed by 2 FTE, instead of 4+ in physical data center

Confidential 37

Company successfully rolls out highly-anticipated new product


More Information – www.imperva.com

•  AWS Test Drive •  AWS Validated Reference Architecture •  30 Days of AWS WAF for free •  Demo Skyfence and Incapsula

5

Confidential 38

extend enterprise application-level security to your aws environment

Technology

security services

aws security tools

consistent security

application security

customers security experts

amazon web services

cloud aws

imperva matt yanchyshyn