Protecting web aplications with machine learning and security fabric
Download as PPT, PDF0 likes447 views
FortiWeb is a web application firewall that provides three key layers of protection: 1) Anomaly detection using machine learning to identify abnormal traffic patterns without blocking benign anomalies. 2) Threat detection using pattern analysis and FortiGuard threat models to block known attacks. 3) Virtual patching to block exploits of known vulnerabilities in applications until they can be fully patched. FortiWeb integrates with the Fortinet Security Fabric to provide broader visibility, protection, detection, and response for web applications and the digital attack surface.
Protecting web aplications with machine learning and security fabric
- 1. First law of software quality errors = (more code)2 E = mc2 1
- 2. © Copyright Fortinet Inc. All rights reserved. Protecting Web Applications with Machine Learning and Security Fabric Timo Lohenoja, CISSP Systems Engineer timo@fortinet.com
- 3. 3 of all data breaches were as a result of a Web Application Attacks 29% Verizon Data Breach Investigations Report 2017
- 4. 4 increase in Web Application Attacks in 2017 compared to 201669% Akamai State of the Internet Security Report 2017
- 5. 5 of all Web Applications will be protected by a WAF by 2020 70% Gartner
- 6. 6
- 7. 7 Verizon Data Breach Investigations Report 2017 Web Applications Attacks Web Application attacks are common Web Application attacks often result in data breaches
- 8. 8 Websites have changed That was then Websites used to be: • Relatively static content • Limited user interaction • Content consisting mainly of HTML and images • Accessed by limited set of browsers and OS This is now Websites are now: • Very dynamic content • Highly interactive • Lots of scripting, two way data transfers, media rich • Accessed by thousands of client types Far greater need for WAF protection
- 9. 9 What is a WAF? Unauthorised Access DDoS Good Visitor Known Threat Malware Upload Vulnerability Exploit Unknown Threat Web Server Web Server Database Protected Web ApplicationsUntrusted Sources A WAF filters HTTP traffic between
- 10. 10 Operating System Mid-tier Software Scripting Language CMS Libraries Frameworks Scripting Language Database Your Web Application Web Server Software Is Your Web Application on a Secure Foundation? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Vulnerabilities? Mitigate Application Layer Vulnerabilities with FortiWeb
- 11. 11 Traditional Vulnerability Patching can take Months WEB APPLICATION User ID: Password: LOGIN User Name ••••••••••••• Attackers target known exploits and develop new ones Development time to patch can take weeks to months EXPLOIT Time to issue patch can take weeks to even months Inherited legacy apps may not have development expertise DATA BREACH APPLICATION OUTAGE SPREAD MALWARE THEFT OF CREDENTIALS
- 12. 12 Some Security Features of the “FortiWeb” WAF What we’ll cover today is just the tip of the iceberg
- 13. 13 Layered, Correlated, Weighted Protection ATTACKS/THREATS APPLICATION CORRELATION IP REPUTATION BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES DDOS PROTECTION APPLICATION LEVEL DDOS ATTACKS PROTOCOL VALIDATIONIMPROPER HTTP RFC ATTACK SIGNATURES KNOWN APPLICATION ATTACK TYPES ANTIVIRUS/DLP VIRUSES, MALWARE, LOSS OF DATA BEHAVIORAL VALIDATION UNKNOWN APPLICATION ATTACKS WITH MACHINE LEARNING ADVANCED PROTECTIONSCANNERS, CRAWLERS, SCRAPERS, CREDENTIAL STUFFING INTEGRATION FORTIGATE AND FORTISANDBOX APT DETECTION User/DeviceThreatScoring
- 14. 14 FortiWeb Typically Deployed in Front of Web Servers FortiGuard • WAF Signatures • IP Reputation • Antivirus • Credential Stuffing Defense • FortiSandbox Cloud Web Servers FortiGate FortiWeb
- 15. 15 FortiWeb Form Factors Multiple options for maximum deployment flexibility Appliances • 7 models • 25 Mbps to 20 Gbps • Support for 10GE Public Cloud • 4 VM models • BYOL and On-demand • AWS, Azure, Google Cloud Virtual Machines • 4 VM models • CPU-based • Perpetual licensing • VMware, Hyper-V, Xen, Citrix Xenserver, KVM SaaS • Subscription • Based on throughput and number of sites • Hosted by Fortinet Container • 4 virtual appliances • 25 Mbps to 2 Gbps • Docker support Partner Rules • 4 packages • Add on to AWS WAF • Basic to complete OWASP Top 10 protection WAF
- 16. 16 FortiWeb Cloud – SaaS Web Application Firewall Web Server FortiWeb Cloud WAF “Lite” focused on quick setup and minimal day-to-day operations Hosted by Fortinet Web-based management Flexible pricing based on throughput and number of sites Benefits No hardware/software to manage Buy only what is needed ”Set and forget” WAF Simplified and fast deployment Great for SMB Web Applications, Distributed Applications, and Enterprise DevOps Testing Environments
- 17. 17
- 18. 18 The Gap between CVE and Patch Edgescan Vulnerability Statistics Report 2018
- 19. 19
- 20. 20 Bridging the Gap with Virtual Patching • Scanner detects vulnerability on webser ver FortiWeb blocks exploit attempt 3rd Party Vulnerability Scanners Supported for Virtual Patching Acunetix HP WebInspect IBM AppScan WhiteHat Qualys Telefonica FAAST 3rd Party Vulnerability Scanner Web Servers Scan Vulnerability Info Exploit Attempt • Exploit attempt is blocked by Fortiweb • Vulnerability information imported into Fortiweb and it generates mitigation policy
- 21. 21 Developing an Effective WAF Policy With Machine Learning Without Machine Learning
- 22. 22 The Next Generation of Web Application Protection Weaknesses • Limited HTTP understanding • No session awareness • No application awareness • No user awareness • No false positive tuning • Limited WAF feature sets FW/IPS FortiGate and Competitors WAF FortiWeb and Competitors Strengths • Signatures + auto scanning • Aware of application elements • Knows normal traffic patterns • Detects anomalies 100% Signature-based Application Learning Strengths • Single device • Known attack detection • Simplified ”1-click” deployment Weaknesses • High false positive detections • Labor intensive to fine tune • Learning not 100% reliable • Changes require re-learning MACHINE LEARNING
- 23. 23 Traditional WAF Application Learning Detection THREAT DETECTION Application Traffic Whitelist matching using observed request traffic during “learning windows” = Normal Request = Benign Anomaly = Threat ✘ ✘ ✘ All Anomalies BLOCKED Blocked Request Traffic (with false positives) Allowed Request Traffic (with false negatives) Known Issues/Limitations • Blocking all anomalies leads to high false positives • Accuracy requires labor intensive fine tuning • Unobserved variations trigger anomalies • Whitelisting characters used in attacks leads to threats evading detection • Changes to application require relearning
- 24. 24 FortiWeb Employs 2 Layers of Machine Learning ANOMALY DETECTION Application Traffic ✘ ✘ ✘ Statistical probability analysis based on observed application traffic over time = Normal Request = Benign Anomaly = Threat Anomalies Allowed Normal Request Traffic THREAT DETECTION Pattern analysis matching based on FortiGuard trained and curated threat models Threats BLOCKED Normal and Benign Traffic
- 25. 25 How FortiWeb ML Works - Simplified ATTACKS Anomalies Normal Application Traffic User sends ”Mark Smith” in application form field for NAME FortiWeb ML expects letters only in this field. FortiWeb ML see this as Normal Application Traffic ALLOWED User accidentally sends ”Janette Smit&” in application form field for NAME FortiWeb ML predicts that this as an Anomaly from normally expected field entries but not a threat ALLOWED User sends ”SELECT *.* FROM CUSTOMER” in application form field for NAME FortiWeb ML with FortiGuard SVM predicts that this as an Anomaly AND AN ATTACK BLOCKED FortiWeb ML matches entry against characters normally expected for the field and typical length of field entry Support Vector Machine (SVM) separates threats from anomalies using vector patterns from FortiGuard Labs https://www.example.com/insert?firstname=Mark&lastname=Smith https://www.example.com/insert?firstname=Janette&lastname=Smit& https://www.example.com/insert?firstname=”SELECT *.* FROM CUSTOMER”
- 26. 26 FortiWeb Machine Learning New Machine Learning Automated Security ● New Application profiling ● Automatically adjust profile based on application changes ● Automated positive security ● Increased accuracy levels. ● Addresses most Auto Learn current limitations.
- 27. 27 FortiView for FortiWeb Visual tools that quickly display suspicious activity and provide unique threat insights including: » Origin of threats » Common violations » Client/device risks. Real time log and drill down analytics » Server/IP configurations » Attack and traffic logs » Attack maps » User/device activity Based FortiOS FortiView First of its kind in the WAF market
- 28. 28 Benefits of FortiWeb with Machine Learning • Near 100% application threat detection accuracy • Virtually no resources required deploy and fine tune FortiWeb • Detects attacks that application learning-based WAFs cannot • Adjusts automatically as applications change • Almost a ”Set and Forget” WAF
- 30. 30
- 31. 31 Fortinet Security Fabric A Security Architecture that provides: BROAD Visibility & Protection of the Digital Attack Surface INTEGRATED Detection of Advanced Threats AUTOMATED Response & Continuous Trust Assessment Delivered as: Appliance Virtual Machine Hosted Cloud Software
- 32. 32 Network Security Multi-Cloud Security Endpoint Security Email Security Web Application Security Secure Unified Access Advanced Threat Protection Management & Analytics FortiOS 6.0 FortiClient 6.0 FortiWeb 6.0 FortiMail Secure Email Gateway FortiSandbox 3.0 FortiAnalyzer 6.0 FortiManager 6.0 FortiSIEM 5.0 FortiOS 6.0 FortiAP 6.0 FortiSwitch 6.0 Endpoint IoTMulti Cloud Applications Web Unified Access Email Threat Protection Advanced Management Analytics FortiCASB 1.2 The Broadest Security Portfolio in the Industry Built from the ground up to deliver true integration end-to-end Network Access Control
- 33. 33 UsersZone FortiMail ThreatActor FortiWeb FortiGate FortiGate FortiSandbox FortiClient MailDMZ HostingDMZ ManagementZoneFortiAnalyzer ServerZone FortiWeb within the Fortinet Security Fabric
- 34. 34 Fortinet Security Fabric Integration WCCP External WAF ON FortiGate FortiWeb HTTP Traffic Quarantined IPs Web Server FortiSandbox Files for Inspection Third Party Scanners FortiGate » Compromised user sharing with IP Polling » Simplified setup with WCCP Protocol FortiSandbox » File scanning for unknown threats » APT protection » Also available with FortiSandbox Cloud Third-party Scanners » IBM AppScan and QRadar » HP WebInspect » WhiteHat » Qualys » Acunetix
- 35. 35 Use Case #1: Cloud Services Hub HOW All sites, clouds, virtual cloud networks and departments connect to/through services hub Multi-layered security offered from the cloud Security services scale as needed (resources used on demand) Cloud security management infrastructure is globally available and scalable WHAT Organizations leverage the elasticity, availability and scalability of the cloud and centralize security services into a shared services hub Global Presence On-Demand Capacity WHY Central Security for decentralized app development and infrastructure Internet Cloud Services Hub Transit VPC Public Cloud Based Infrastructure VPC1 V M VM VPC2 V M V M VM VM
- 36. 36 Use Case #2: Advanced Application Protection HOW FortiGate advanced threat protection in conjunction with FortiWeb and FortiMail FortiSandbox for File upload and inbound email scanning. Central Management via FortiManager and FortiAnalyzer WHAT Deep Application specific security in the cloud. Supporting the ability to comply with regulation and patch applications on the fly. WHY Increase confidence to deploy sensitive applications over the public cloud Internet Cloud Services Hub Transit VPC Web based and Mail Applications Sandbox Web and Mail Security NGFW Public Cloud Based Infrastructure V M V M VM VM
- 37. 37 Re-cap: • All websites (web applications) are potentially vulnerable • WAFs have been around for a while doing: compliancy and “negative security” • In the future, we will use Machine Learning to assist in providing positive security without the classic overheads • FortiWEB is a part of the security Fabric – greater than the sum of it’s parts