As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.
12. AWS WAF: Integrated with AWS
Amazon CloudFront
Global content delivery network to accelerate
websites, API, video content, and other web assets
13. AWS WAF: Integrated with AWS
Amazon CloudFront Application Load Balancer
Load balancer with advanced request routing, and support
for microservices and container-based applications
Global content delivery network to accelerate
websites, API, video content, and other web assets
Announcing today..
14. What to expect from this session
Introduction to
AWS WAF
AWS WAF security
automation strategies
AWS WAF 101
Demo and getting
started
16. We built a WAF that has…
Customizable and
flexible rules
APIs: Integration
with DevOps
…allowing several WAF automation strategies
Quick rule update
17. AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident
response
Learning-based
protections
… to spend less time securing applications
24. Provisioning AWS WAF: Reuse
IP whitelist
internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist
known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1
(dev env)
Rule 4: Common protection #2 [BLOCK]
XSS match
Web ACL #2ALB 2
(prod env)
Spend less time by reusing WAF rules
25. Provisioning AWS WAF: Reuse
IP whitelist
internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist
known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1
(dev env)
Rule 4: Common protection #2 [BLOCK]
XSS match
Web ACL #2ALB 2
(prod env)
Spend less time by reusing WAF rules
ALB 3
(new app)
26. Provisioning AWS WAF
Quickly fix vulnerabilities
Example: {CVE-2016-538}
• Server-side web applications that utilize the HTTP_Proxy header as an environment
variable
• Attacker could intercept connections between a client and server.
Quick solution:
Use AWS WAF to configure a rule to detect and block web requests that contain a proxy
header.
27. Provisioning AWS WAF
IP whitelist
internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist
known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1
(dev env)
Rule 4: Common protection #2 [BLOCK]
XSS match
Web ACL #2ALB 2
(prod env)
Spend less time by reusing WAF rules
ALB 3
(new app)
28. Provisioning AWS WAF
IP whitelist
internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist
known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1
(dev env)
Rule 4: Common protection #2 [BLOCK]
XSS match
Web ACL #2ALB 2
(prod env)
Spend less time by reusing WAF rules
ALB 3
(new app)
Rule 5: CVE-2016-538 [BLOCK] Header match
30. Configuring AWS WAF rules
Preconfigured AWS CloudFormation templates for common protection
CloudFormation template
AWS WAF Configuration
31. Configuring AWS WAF: Common protection
Enable common protections
SQL injection
Cross-site scripting
32. Preconfigured protections: Customer example
Need quick setup and common
protections like SQLi, XSS
“Overall, the entire stack so far has been extremely helpful. I truly would say that
this stack should almost be a standard built-in for anyone looking to use WAF as I
cannot begin to tell you how useful and truly effective it is.”
Award winning Health & Beauty eTailer
45. What is machine learning
Machine learning is the technology that automatically finds
patterns in your data and uses them to make predictions
for new data points as they become available
Your data + machine learning = smart applications
46. Amazon Machine Learning
Easy-to-use, managed machine learning service
built for developers
Robust, powerful machine learning technology
based on Amazon’s internal systems
Create models using your data already stored in
the AWS Cloud
Deploy models to production in seconds
47. AWS WAF with Amazon Machine Learning
A PoC on learning-based WAF
48. AWS WAF with Amazon Machine Learning
The problem:
Detect requests from domain generation algorithms
Solution:
Use referrer header to detect bad domains visiting my website based
on machine learning
49. AWS WAF with Amazon Machine Learning
1. Data preparation – Feature engineering
2. Train model based on known good and
bad domains
3. Evaluate using real data
50. AWS WAF with Amazon Machine Learning
1. Data preparation – Feature engineering
51. AWS WAF with Amazon Machine Learning
2. Train model based on known good and bad domains
Good domains: Alexa 10,000
Bad domains: Known phishing domains
52. AWS WAF with Amazon Machine Learning
3. Evaluate using real data
Use raw logs from CloudFront logs
#Version: 1.0
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-
edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-
type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200
www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit
MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit
HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304
www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit
xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1
55. AWS WAF with Amazon Machine Learning
Category Result
Accuracy 98%
Recall true positive rate 78%
False positive rate 1%
True negative rate 99%
How good is our machine learning model
56. Summary
Spend less time securing your applications
Instead, focus on building applications
Provisioning WAF
Reuse rules
Configuring rules
Configure common
protections in minutes
using CloudFormation
templates
Importing rules
Automated reputation
list from external
sources
Automated incident
response
Advanced
application-specific
firewall rules
Learning-based
protections
Smart adaptive
protections using
Amazon ML