Keeping up with the Revolution in IT Security
Download as PPTX, PDF1 like394 views
The document discusses the evolution and complexities of IT security, emphasizing the need for advanced security measures to combat increasingly sophisticated threats, particularly from bots and emerging web applications. It highlights the importance of integrating API security, mobile site protection, and data management within cloud environments to prevent data breaches and enhance overall security postures. Additionally, it suggests tailored solutions, such as behavioral modeling and inline fingerprinting, to effectively detect and mitigate malicious bot traffic while maintaining legitimate user experience.
Keeping up with the Revolution in IT Security
- 1. Keeping up with the Revolution in IT Security
- 2. Speakers Rami Essaid CEO & Co-founder
- 3. A brief look at previous evolution in IT security Key trends in app development The impact of these trends The potential future of IT security solutions Agenda
- 4. The Evolution of IT Security Endpoint Security Network Security Application Security Blocking threats targeting devices Blocking threats trying to access networks Blocking threats using targeting web applications
- 5. The Proliferation of Web APIs The rise of API driven development is making web APIs more common than ever API App Data Provisioning Configuration Reporting Integration Social Media Mobile app
- 6. Web APIs need to be included in Security Strategy API Security can prevent Malicious and unacceptable API usage API developer errors from running wild Automated API scraping from stealing content
- 7. Bad guys get more tools to leverage when building attacks and bad bots Web Browsers are Becoming More Complex The Evolution of the Web Browser versions and their Technologies Source: http://www.evolutionoftheweb.com
- 8. Advanced bots use browser capabilities to evade detection and mimic human behavior The Impact of Modern Browsers on Security Bad Bot Sophistication levels, 2014
- 9. Leverage Tools Capable of Detecting Advanced Bots Traditional security solutions (FW, IPS, WAF, etc.) typically lack the proper client visibility necessary to effectively identify advanced bots Identifying advanced bots and browser automation requires specialized techniques Approaches to Detecting Bots, by Tier
- 10. Modern applications are geographically distributed with data centers wherever customer bases are concentrated Deployments leverage multiple types infrastructure (clouds, on-prem, hybrid, multi- cloud, etc.) Architectures are Increasingly Distributed
- 11. Flexible deployment options enable complete coverage of diverse web estates Protection should be standardized across all deployments and infrastructure Security precautions must to be interconnected to share data, not siloed or isolated Defenses Need to be Interconnected and Versatile
- 12. Web applications include a wide variety of frameworks, 3rd party code bases, and plug-ins Each code base adds potential vulnerabilities into your application Not all software vendors have the same security controls Diversity and Complexity of Application Stacks
- 13. Assume your application stack is vulnerable Patch. Patch. Patch. Minimize the use of 3rd party code Do not allow unauthorized vulnerability scans Protecting your Stack from Penetration
- 14. In a post Snowden world, roughly 9% of Americans have adopted sophisticated steps to shield their information* such as: ○ Using a TOR network ○ Using a proxy server ○ Using a VPN to obscure origin IP Addresses Attackers also obfuscate traffic sources with IP Spoofing or using large pools of globally distributed origin IPs Anonymous Traffic Sources Becoming More Commonplace Source: *Americans’ Attitudes About Privacy, Security and Surveillance, Pew Research Center, 2015
- 15. IP Blocking not effective when dealing with modern threats Device fingerprinting provides distinct advantages like ○ Tracking attackers across IP addresses ○ Detecting bots through anonymous proxy networks ○ Reducing false positives associated with humans anonymizing themselves Advanced Fingerprinting Replacing IP Blocking
- 16. Seemingly legitimate IPs and user agents may be imposter bots Access Control Lists (ACLs) are no longer useful because attackers regularly change IP addresses Manually updating white/black lists to keep up is tedious and short lived Access Control Lists have become too Reactive Whitelist Blacklist Everything Else?
- 17. Community sourced attack data aggregation provides more accurate data source for enforcement Machine learning and self configuration greatly reduced security maintenance overhead Community Sourced Intelligence Improves Accuracy
- 18. Mobile users now outnumber desktop users Mobile clients are now being used to launch attacks Mobile sites tend to be easier to scrape ○ Less superfluous content ○ Highly structured and easy to navigate layouts Mobile Growth Brings With it Mobile Threats Source: Comscore, The US Mobile App report
- 19. Mobile Bots Arrive in Droves Bad Bot Self-Reported Browser, 2014 Actual Browser Usage, 2014
- 20. Worst Offending Mobile Carriers, Beware of China Bad Bot Traffic as Percent of Overall Traffic, U.S., China and Rest of World
- 21. Precautions should be implemented to extend security strategies to cover mobile websites Mobile clients need to be subjected to the same scrutiny as other users Mobile Should not be Overlooked
- 22. Increasing amounts of data exist in the cloud and with cloud service providers What is their data retention policy? What controls are placed around this data? Is your web app being exploited to access it? Proliferation of Data in the Cloud Poses a Security Risk
- 23. Avoid storing excessive sensitive data in the cloud Understand how your cloud service vendors work Use strong passwords Encrypt data Don’t let bots scrape your database Keeping Data in the Cloud Safe
- 24. The Ashley Madison breach released 32 million log-in credentials into the wild Account takeover and transaction fraud have significantly increased Lost or stolen credentials were already the top cause of data breaches since 2010 Online Fraud Boosted by Ashley Madison Breach Source: VBIR 2105
- 25. Bots are typically employed to try password combinations at other sites looking for valid combos Implement tools or application code which can rate-limit login attempts Fingerprinting can be used to correlate login attempts using multiple IPs Prevent Brute Force Password Attempts
- 26. Recapping the Trends and Security Implications Trends IT Security Implications API centric development API security Complexity of browsers Protection from advanced bots and browser automation Distributed environments Interconnected tools, deployment flexibility Complexity of application stacks Patching and blocking reconnaissance attacks Anonymous browsing Device fingerprinting Access control lists too reactive Community source data feeds, self tuning Mobile growth Mobile client screening and mobile site security Data in the cloud Retention policies, encryption, scaping protection Fraud on the rise Brute force account takeover protection
- 27. The First Easy and Accurate Way to Defend Websites Against Malicious Bots About Distil Networks
- 28. The World’s Most Accurate Bot Detection System Inline Fingerprinting Fingerprints stick to the bot even if it attempts to reconnect from random IP addresses or hide behind an anonymous proxy. Known Violators Database Real-time updates from the world’s largest Known Violators Database, which is based on the collective intelligence of all Distil-protected sites. Browser Validation The first solution to disallow browser spoofing by validating each incoming request as self-reported and detects all known browser automation tools. Behavioral Modeling and Machine Learning Machine-learning algorithms pinpoint behavioral anomalies specific to your site’s unique traffic patterns.
- 29. How Companies Benefit from Distil Increase insight & control over human, good bot & bad bot traffic Block 99.9% of malicious bots without impacting legitimate users Slash the high tax bots place on internal teams & web infrastructure Protect data from web scrapers, unauthorized aggregators & hackers
- 30. www.distilnetworks.com/trial/ Offer Ends: October 25th Two Months of Free Service + Traffic Analysis
- 31. www.distilnetworks.com QUESTIONS….COMMENTS? I N F O @ D I S T I L N E T W O R K S . C O M 1.866.423.0606 OR CALL US ON
Editor's Notes
- #5: Security has evolved alongside technological advances since the dawn of computing. The first wave was endpoint security with companies like Symantec, McAfee, etc. The second major wave of innovation in IT security was Network security which brought with it companies like Checkpoint, Cisco, Palo Alto Networks. The Third wave was companies looking to protect applications by inspecting HTTP traffic. This includes companies like Imperva, Akamai, F5, etc. This presentation will explore some trends in IT security which may shape what the future of IT security may hold.
- #6: The first trend we’ll discuss is an API Centric approach to application development. Many modern apps are more like a shell or UI layer to which content is piped over an API. They also make heavy use of APIs to connect to external solutions for automation.
- #7: Although APIs are more prevalent than they used to be, they many not have the same level of security as the applications themselves. API Security should be part of every corporation’s security strategy. It can prevent several major security and performance issues (listed on the slide).
- #8: The graph is showing an increase in features of various browsers over time. The important thing to note is how much new tech has been coming out recently. This gives hackers ample tools to create really advanced bots and automated attacks which can perform a wide variety of attacks such as Session hijacking, click fraud and other. It also makes these bots harder to identify.
- #9: Taking a look at the data from our bot report we can see that almost 1 in 4 bad bots has reached the level of “sophisticated” and that as much as 41% are able to mimic human behavior.
- #10: How do we protect against this? Traditional security isn’t cutting it because it was not designed to deal with this problem. Most WAFs are designed specifically to protect against threats like the OWASP top 10 and do so with a rules based approach. Advanced bots on the other hand, fly under the radar of these tools because they appear to be human and are not performing attacks which trigger Web app attack rulesets. Identifying these bots requires using a variety of approaches, that become more advanced as the bots become more sophisticated.
- #11: Infrastructures are becoming more distributed. Applications sometimes run on multiple platforms, deployed in clouds, on-premise, in multiples or some combination thereof. Applications are also architectured to handle traffic from anywhere on the globe, which typically results in multiple data centers or cloud availability zones selected to cater to concentrations of users.
- #12: Due to the distributed nature of application deployment, there are extra requirements put on security vendors to be effective. They must be flexible to cover any type of deployment a customer may have, such that all deployments or instances are able to share the same security benefits. Additionally, this security needs to communicate amongst itself, instead of being siloed at each deployment or installation site. Tools that should work with multiple kinds of deployment environments.
- #15: http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/
- #19: Rami: As you can see from the data about mobile bad bot traffic, you’re going to want to protect your mobile site. Craig: Why the increase in bad bot mobile traffic? One reason is that mobile sites are easier to scrape. The same characteristics that make a mobile optimized site easy to quickly navigate for humans also makes them prime targets for bad bots. Mobile sites tend to be easier to scrape because they provide more structured access to website data.
- #20: Rami: 2014 is the first year that bots masking themselves as mobile web users arrived in droves. The Android Webkit Browser, at 4.87%, entered into the Top 5 list of user agents leveraged by bad bots to hide their identities. We hadn’t see that before. Craig: Why the surge in mobile bots? Rami: Craig: It looks like Firefox was the most reported browser by bad bots, yet Chrome is the clear winner a among human users. Similarly, it looks like IE is used twice as much by bots as by humans. Why? Rami:
- #21: Rami: Overall, mobile bot traffic from U.S. mobile carriers (as a percentage of their overall traffic) was roughly on par with the rest of the world during 2014. The real outlier was China with over 30% bad bot traffic. Craig: Why is China so high? Rami: This is due in large part because very few of websites out outside of China cater to the Chinese market. So, traffic that hits their origin servers from China has a higher propensity to be bad bot traffic.
- #23: (AT&T example - phone number and zip code to obtain cust data)
- #24: Dont’ put unneccesary info into the cloud Make sure to talk with your vendors, read their terms of service, understand their security controls Use strong passwords on your accounts encrypt your data. Work with vendors who support encryption Block bots so they cannot scrape your database. (Insert AT&T example here) Make sure that the web application is secure so the data cant be pulled from that Lock down data from export, harvesting, even for authorized users
- #25: According to the 2011 to 2015 Verizon Breach Investigation Reports, Lost or Stolen credentials has been the #1 cause of data breaches. 2015 is likely to continue this trend due to Ashley Madison. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf You can remove that graph if you’d like.
- #28: Transition slide back to Rami
- #29: Slide owner: Rami
- #30: Slide Owner: Rami