What You're Missing With Your Current WAF Provider
•Download as PPTX, PDF•
1 like•1,443 views
Preventing data breaches and stopping malicious bots has become a top priority for many companies. Cloudflare blocks over 400 million malicious requests each day and from this we know that installing and forgetting a Web Application Firewall is no longer enough. In order to keep up, rules must not only be updated and monitored constantly, but they must also be augmented with other security services to provide an effective solution.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to What You're Missing With Your Current WAF Provider
Similar to What You're Missing With Your Current WAF Provider (20)
More from Cloudflare
More from Cloudflare (20)
Recently uploaded
Recently uploaded (20)
What You're Missing With Your Current WAF Provider
- 1. What You're Missing With Your Current Web Application Firewall Provider How current challenges are putting pressure on traditional WAFs
- 3. Agenda ● Housekeeping ● Why a WAF? ● Current Security Threats ● Business Impacts ● Finding an Intelligent WAF ● Necessary Surrounding Services ● Q & A
- 4. Housekeeping ● Ask questions in the “Questions” chat box in ReadyTalk. ● We’ll triage all questions at the end of the presentation. ● We’ll be emailing the slides and recording to all registrants. ● All attendees are muted.
- 5. Why a WAF?
- 6. Why did you originally buy a WAF? Protect applications from targeted attacks Malicious Payloads: SQLi, null bytes, malformed data, XSS Keep customers and their data secure Protect website from defacement or content theft
- 8. Customers’ Security Threats SYSTEM DDoS Attack Attack traffic impacts availability or performance Data Theft Attempt Compromise of sensitive customer data Bots Prevent malicious bots from abusing site or application Webpage
- 9. Compromise of Sensitive Customer Data Fake Website Visitors 1DNS Spoofing Malicious Payload eg: SQLi that ex-filtrates PII and credentials 3 Attacker Bots Brute Force 4 Data Snooping 2
- 10. Malicious Bot Attacks Account Takeover Taking over an account to abuse the site, make fraudulent purchases, or extract financial information of user Content Scraping Stealing public information on the website such as prices or valuable SEO content Resell itemBots Bots Checkout Fraud Automated purchasing of valuable or limited inventory Bots Website with stolen content
- 11. Business Impacts
- 12. Lost customer trust and degraded brand value Lost revenue from site downtime or higher costs from bad traffic Business Impacts Business Impact ● $141 average cost for each lost or stolen record containing sensitive and confidential information ● $3.62 million is the average total cost of a data breach Cost categories: Remediation costs (hardware, services, and software), lost revenue, lost future revenue from customer churn, wasted marketing spend, negative brand impact, help desk costs, increase IT staffing costs, loss of user productivity IDC March 2015, and Ponemon Institute, June 2017
- 13. Finding an Intelligent WAF
- 14. 120+ Data centers globally Cloudflare’s Global Anycast Network 10%Internet requests everyday 5M Requests/second 7M+ websites, apps, & APIs in 150+ countries 2.5B monthly active visitors generating 1.3 trillion page views
- 16. Cloudflare WAF Statistics Pt. 2
- 18. Cloudflare Services Prevent Customer Data Breach Block Malicious Bots Anycast NetworkRate Limiting IP Reputation WAF DNS / DNSSECRate Limiting WAFSSL / TLS
- 19. Cloudflare Solution to Protect Sensitive Customer Data ATTACKS Attackers try to forge DNS answers to intercept customer credentials Snoop unencrypted sensitive data entered by customers Brute-force their way into login pages Inject malicious payloads through forms and APIs Resilient DNS and DNSSEC prevents forged answers Encryption through SSL/TLS blocks snooping Log-in protection through rate limiting Block top OWASP and emerging application-level attacks through the WAF ● Layered defense to protect against sophisticated attackers ● Single control-plane for more robust and agile security policies ● Learning from attack profiles across 6M websites to keep yours safe 1. 2. 3. 4. CLOUDFLARE SOLUTIONS
- 20. Cloudflare Solution to Prevent Malicious Bots ATTACKS Account takeovers Content scraping Fraudulent checkout 1. 2. 3. CLOUDFLARE SOLUTIONS Dynamic scoring of IP reputation Fingerprinting bad behavior across network Global intelligence across 6M websites and 400B daily requests Block known bad signatures with proactive shared intelligence Block brute-force login with rate limiting
- 22. The Cloudflare Advantage Integrated Performance, Security, and Reliability 7M customers and routing traffic for 2.5 Global Data Center Anycast Network China Network Firewall DDoS Content Optimization Load Balancing AMP Rate Limiting DNS Argo WAF CDN Latest Web Standards TLS Data Centers with 10 Tpbs capacity 120+ HTTP Internet traffic 10% All DNS queries 38%& SCALE INTEGRATED STACK EASY FINE- GRAINED CONTROL
- 23. Thank you!
- 24. Questions?
Editor's Notes
- Speaker introduction
- Talk Track:
- Talk Track: In light of this growing exposure to security risks, what are those primary threats you may encounter? We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting: Site is unavailable because of denial of service attack Customer data is compromised, (e.g. breached or stolen) Increasingly, abusive bot activity For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like. Questions: Which, if any, of these are most important for you? For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why? If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
- Talk Track: When it comes to compromise of sensitive customer data, you may be most familiar with malware. While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft. The take-away for this slide is that attackers can take advantage of different vulnerabilities. DNS Spoofing: visitors are directed to a fake site instead of your site A compromised DNS record, or "poisoned cached," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts. Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. Brute Force: attackers are repeatedly trying credentials to take over an account Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page. Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application. The risk is that sensitive customer data, such as credit card information, might get compromised.
- Talk Track: The third attack: increasingly, bots are becoming more common forms of attack. The three most common we have seen and blocked are: Content scraping: which essentially steals website content and hurts SEO or revenue Check out fraud: the most common is the “sneaker bot” which takes limited inventory and buys before actual customers can get them Account takeover: the result typically of a brute force login to then use a compromised account
- Talk Track: So what happens when you experience one or more of these problems we just discussed? Many of our customers shared with us they have both intangible and tangible costs. You can see some of the potential cost categories and, if you are interested, we can schedule time with your team to get a better handle on the costs if you don’t know details right now. However, for the purposes of this conversation, we’ve found it’s often helpful to think about and to discuss the potential costs. The areas of cost can range, as you can see on the list, from remediation costs to loss of user productivity. It doesn’t need to be accurate. But reviewing these can reveal whether the problem is a one-hundred dollar a month problem, or a one-hundred thousand dollar a month problem. Some questions include: What is the cost for an hour of downtime due to a DDoS in lost customers? What would be the cost if just one customer record were breached in terms of remediation or customer churn? What happens to revenue or your brand when malicious bots abuse your site? Source: IDC, March 2015: “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified”, Stephen Elliot. This was commissioned by AppDynamics Ponemon Institute, 2017 Internal background reading - Enablement: These are discovery/conversation slides This is very important. You will have a more difficult time ultimately doing the sale or upsell without it unless the customer’s hair is on fire to buy something. On the right hand side are the types of costs to explore with customers. Potential responses from customers and options for responses: If the customer responds: I don’t know “That’s fine. I could imagine the person who would know would be interested. Could we include him in future meetings as a way to help you get the answers?” “I understand. Who would know about these numbers in your organization?” “Sure. Do you think you could make an educated guess? Is this $5 per incident or $50,000 per incident?” We have found that it’s valuable for companies to quickly get a sense of the business impacts you most care about. These two were consistently what customers shared as big concerns, whether they use Cloudflare or not. Which of these are important to you? What connection do you see between these and downtime from DoS and breached customer data? Who in the org care about these impacts? Here are some examples from conversations with existing customers: Trust A financial services customer said lost of trust would directly impact customer and revenue A medical ecommerce customer said losing trust would be “game over” as a business A hospitality company values the brand as key to their business and downtime hurt the brand A media site said losing trust of readers as a news site by being down would impact short-term ad revenues and long-term brand (which impacted advertisers) Trust goes down, Revenue goes down in every case If you had to give a dollar amount of the impact, what would it be? Notes: Are costs critical to the buying decision? Costs could be the increased costs of backend servers during attacks -- For example, the service HaveIbeenPwnd, saw a 5x increase in Azure services due to attacks -- A media company customer saw bandwidth costs increase 1000x from attack traffic Revenue could be the impact during an outage Downtime for many companies, from e-commerce, to SaaS, to ad-driven businesses, can be in the tens of thousands of dollars, due to lost customers, lost ad dollars If you have to pick an area with the biggest potential impact, which would it be? RESEARCH from competitors: The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record. 2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC June 2017 https://www.theatlantic.com/technology/archive/2016/10/a-lot/505025/ https://www.ponemon.org/blog/2014-cost-of-data-breach-united-states https://security.radware.com/uploadedFiles/Resources_and_Content/Attack_Tools/CyberSecurityontheOffense.pdf https://www.corero.com/company/newsroom/press-releases/market-study-indicates-ddos-protection-is-a-high-priority-for-data-centres-hosting-providers-and-network-services-providers/ https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-oct-ddos-report.pdf
- Talk Track Earlier we discussed four common vectors for attacks to compromise or steal sensitive data. The take-away for this slide is this: when there are multiple vectors, you need a layered defense. To defend against malicious payloads, you need a WAF - WAF checks the payload against malicious OWASP on the application To prevent unintended snooping of data, you need easy to manage and deploy encryption - TLS encrypts the content so protects against sniffing To block brute force logins, you need rate-based log-in protection - Rate Limiting checks against threshold volume to protect against DDOS, brute-force or scraping To prevent forged DNS answers that can send customers to a fake site, you need resilient DNS and DNSSEC - DNS tells us the address the request goes to and secure DNS protects against phishing All these work seamlessly and are easy to set up and configure through the Cloudflare UI as well as through a rich set of APIs. The high level takeaways are: Multiple attack vectors Cloudflare has layered defense Easy to configure across all services Learn across 6m websites Background Reading - you can build this into your talk track: Reduce risks of data compromise through layered defense Attackers often use several attack vectors when attempting to compromise customer data. To protect themselves, companies need a layered defense. REDUCE SPOOFING THROUGH SECURE DNS Cache poisoning or "spoofing" tricks unsuspecting site visitors to enter sensitive data, such as credit card numbers, into an attacked site. This type of attack occurs when an attacker poisons the cache of a DNS name server with incorrect records. Until the cache entry expires, that name server will return the fake DNS records. Instead of being directed to the correct site, visitors are routed to an attacker's site, allowing the bad actor to extract sensitive data. DNSSEC verifies DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative name server and not a man-in-the-middle attacker. REDUCE SNOOPING THROUGH ENCRYPTION Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. In the case of a "man-in-the-middle" attack, the browser thinks it is talking to the server on an encrypted channel, and the server thinks it is talking to the browser, but they are both talking to the attacker who is sitting in the middle. All traffic passes through this man-in-the-middle, who is able to read and modify any of the data. Fast encryption/termination, easy certificate management, and support of the latest security standards enable customers to secure transmission of user data. BLOCK MALICIOUS PAYLOADS THROUGH AUTO-UPDATED, SCALABLE WAF Attackers exploit application vulnerabilities by submitting malicious payloads that can extract sensitive data from the database, the user's browser, or from injecting malware that can compromise targeted systems. A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections. The Cloudflare Web Application Firewall (WAF) updates rules based on threats identified because of its 6M customers, and can protect customers without hurting application performance because of its low-latency inspection and integration with traffic acceleration. REDUCE ACCOUNT TAKE-OVERS THROUGH LOGIN PROTECTION Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page. Cloudflare enables users to customize rules to identify and block at the edge these hard-to-detect attacks through its rate-limiting rules
- Talk Track: Bots are sophisticated and varied. The most common forms of attacks are account takeovers, content scraping and fraudulent checkout. Because there are different types of attacks, Cloudflare’s approach leverages different forms of defense. Here’s an example: Most bots, such as abusive checkouts or content scraping, have an unusually high volume of requests. Our customizable rate limiting solution has solved the problem for customers. Because of the amount of traffic Cloudflare sees, our IP reputation scoring and ability to analyze behavior to detect malicious bots helps to block bad traffic sources such as malicious bots. By combining flexible rules with global shared intelligence, Cloudflare helps customers to prevent malicious bots.