Why Network and Endpoint Security Isn’t Enough

Editor's Notes

• #4: Why traditional security measures are not enough to prevent web attacks? Growth of security breaches, what %age are web application attacks What are the challenges with securing web application Why is network and endpoint security not enough What are the best practices for web application security? Focus moving towards securing Data, Applications, and Users How are IT/Security Ops trying to address challenges Key stakeholders and use-cases How are customers secure web applications on-premises/cloud? How can a WAF address these requirements What deployment scenarios should be supported
• #6: With IT infrastructure going through a major transformation, protecting physical sites, networks, and endpoints protection is not enough – they could be compromised . IT security is now focused on protecting the top of the stack – Data, Applications, and Users. Physical transformation – As companies move to multiple geographies, all sites may not have same level of physical security Networks – with companies connected to suppliers and partners, flaws in network isolations create loop-holes. Target – a prime example Endpoints – with increasing use of BYOD, laptop’s and mobile devices may be compromised while they are outside the network. Data – moving from data centers to the cloud. Data is also exposed to insider threats (compromised/malicious insiders) Applications – more web apps and SaaS apps being developed to boost on-line business Users – User community is untrusted, because it could be anyone on the internet who has access to your website or cloud app
• #7: As focus moves to Users, Applications, and Data, the main security questions that businesses need to ask are: Who has access to data from outside and inside the company? How are applications protected from web attacks and data breaches? Are we compliant to industry regulations and standards? <click> Company Assets include: Structured data in data bases Unstructured data in files Web applications which give user access to data How can you “holistically” secure data, applications, and users. <click> EXTERNAL THREATS: You have customers, partners, employees, and hackers, who can by-pass perimeter security and launch web-attacks – technical, logic, account takeover, and committing fraud.. <click> You can install a WAF in front of the web-applications to prevent these types attacks by installing a WAF in front of all external facing web applications. <click> In addition, WAF integrates with vulnerability scanners to automatically patch using WAF policies, and vulnerabilities detected in the app. <click> INTERNAL THREATS: You have employees, malicious insiders, and endpoints that have been already compromised by malware. You may not be monitoring Usage or User Rights, nor blocking Unauthorized access. <click> With DCAP (Data Centric Audit and Protection), you can centrally monitor and control access to all databases, SharePoint and files where the data resides. You can also discover and classify assets based on sensitivity, and monitor privileged access.
• #9: Large scale data breaches continue to occur in spite of the money companies are spending on security defenses. Cyber criminals have stolen millions of records including user credentials, credit cards, SSN numbers, medical records and intellectual property. 75% of the cyber-attacks target web-applications according to Gartner Research, because they are easily accessible from the internet, and they provide lucrative entry points to valuable data. Web attacks are common because most websites today contain vulnerabilities. An average of 79 serious vulnerabilities exist per web-site according to WhiteHat website security stats. 1 in 5 vulnerabilities discovered on legitimate websites were considered critical – allow attackers to access sensitive data, alter websites content, compromise visitors computers As a result, data breaches due to web application attacks have been increasing. $5.85 M is the average cost per data breach accoring to the latest Ponemon Report
• #10: Web Application Firewall protect in-coming HTTP traffic against web-based attacks that easily by-pass NG Firewalls, such as SQL-Injection, Cross Site Scripting, and those in the OWASP top-10. WAF customers can subscribe to the following Threat Radar services: Reputation: Insights based on reputation of source IP address Bot Protections: distinguishes threats coming from humans and bot networks Account Takeover protection: Protects website user accounts from attack and takeover – This a new subscription service is part of the latest SecureSpehere 11.5 release.
• #11: The most critical capability of any WAF is accuracy. There are some user activities that are obviously bad that need to be blocked, and there are some activities that are clearly OK that should be allowed through. The hard part is dealing with that gray zone – with things that aren’t clearly bad or good at first glance. A WAF needs to be accurate, especially in this gray zone, so that it can stop the hackers and let your customers, partners and employees through. The best way to deal with that gray area is by inspecting web application traffic at multiple layers and correlating across the layers. Think about technical attacks that exploit application vulnerabilities through methods like SQL injection and cross-site scripting... You need to understand what’s normal application activity and what’s unusual activity. To do that, a WAF needs to learn applications by profiling use. And, that learning has to be ongoing, because applications are always changing and evolving, so learning should be dynamic. That is what Dynamic Profiling provides. Of course, you also need to look for, and stop, known patterns of bad behavior, using attack signatures. And, a WAF needs to identify when something is wrong with the HTTP mechanics – is someone is tampering with the protocol, with cookies, for example trying to hijack a user session. Again, to address technical attacks, you need to look at those layers and correlate across them. The same holds true for attacks on the business logic of applications via site scraping, comment spam, and application-layer DDoS. That’s where it’s important for a WAF to have IP reputation awareness, and bot identification and mitigation capabilities so it can recognize known malicious users or automated bots before they have the chance to scrape your site content or attack. Finally, WAFs should help prevent fraud by detecting user devices that are infected with malware, are suspicious or have performed fraudulent transactions in the past. Correlating across all of these defensive layers using pre-defined and custom policies delivers extremely accurate attack detection.
• #12:  If you compare Web Application Firewalls to Intrusion Prevention Systems and Next Generation Firewalls, the differences are clear. While these products may contain a handful of attack signatures, they are not effective at stopping Web application attacks. They do not have sophisticated security engines that can analyze Web application profile violations, keywords, and protocol violations together to correctly identify Web attacks. Secondly, they can’t stop threats like bots or protect cookies or sessions. They typically do not offer any type of reputation-based protection and if they do, it is focused on email spammers, not Web threats. Moreover, IPS’s cannot stop business logic attacks like site scraping and application DDoS and they can’t prevent Web fraud. In addition, many IPS products can’t even decrypt SSL traffic. +++++++++++++++++++++++++ Because of this, IPS’s suffer from a high rate of false positives and false negatives when attempting to stop Web application attacks. In addition, it is easy for hackers to evade them by using encoding or exploiting custom application vulnerabilities. Businesses that wish to avoid the painful consequences of a Web application attack need to deploy a Web application firewall.
• #14: Any WAF solution should provide flexible and scalable deployment options On-Premises WAF: Protects on-prem web-sites with an on-prem WAF solution, with HA and load-balancing capabilities Cloud-based WAF: Protects on-prem web-sites with a cloud-based WAF solution, with HA, load-balancing and volumetric DDoS protection. Web-traffic is routed through cloud-based WAF, via DNS redirection. Nothing deployed on customer site. WAF deployed in Hosted-sites: Protects web-sites using virtual instances of WAF in a hosting site – like Amazon AWS or Azure or Hybrid envirnmnets. Supports auto-scaling.
• #15: Gartner Magic Quadrant Imperva has consistently innovated and led the market for data security, as the Gartner Magic Quadrant for Web Application Firewalls shows. If you’re not familiar with Web Application Firewalls, or WAFs as we call them, Gartner describes them by saying they provide “protection for custom Web applications that would otherwise go unprotected by other technologies.” In other words, the applications that drive business for organizations are exposed without a WAF. We are the Leader in this Magic Quadrant, which demonstrates our ability to deliver value to customers and outpace not just the competition, but more importantly, the hackers. What Gartner says about Leaders is that “In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements.” You can see that every other vendor finds themselves falling short on the Vision dimension. Challengers are typically selling a WAF as a bolt-on afterthought to their main product line. And Niche Players are focused on a regional market or narrow use cases. What that means in practical terms is that the other vendors here are not focused on data center security. We are unique in our vision and our ability to deliver on that vision. Credit: Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014
• #17: The requirements for data security and auditing are complex PCI, Sox, JSOX, Compromised insiders, investigations, reporting, Adding to the complexity is the legacy of multi department silos, with each team addressing it’s own set of responsibilities using their own tools and processes
• #20: Here is a listing of the typical customer use cases focused on data compliance and protection and the typical project owner” Let me quickly summarize each use case: Sensitive Data Auditing is the primary use cases for compliance. Here, the customer has to collect and report on database access events to credit card and financial data as required by PCI and SOX. The Data Theft Prevention use case is about a customer that was hacked and lost both credit card and Personally Identifiable Information. They used our products to protect both their web applications and the databases storing this sensitive information. Data Across Borders highlights a customer that was opening a new datacenter in Germany and had to comply with the German Data Protection laws ensuring that any non-German Database Administrator was prevented from accessing data from German citizens. Database Virtual Patching is about a customer that runs a database vulnerability scans to discover missing database patches. Next, they create virtual patches to protect those databases until their DBA team schedules time to apply the vendor patches. Change Reconciliation is a use case detailing how a customer met their SOX compliance requirements by tracing database changes back to a change ticket. Protecting sensitive data from “Very Important People” is the focus of the VIP Data Privacy user case. This is a security use case explaining how to implement access controls and user rights reviews to protect sensitive data. Ethical Walls discusses how a customer was able to segregate data access from a business unit that they were selling. While your list may includes some of these or additional use cases, there is a commonality across all of these and many more. Next we’re going to review these use cases and introduce the key capabilities within our Database Security Suite that each customer used to address their challenges. [CLICK]
• #21: Here’s a five step process that includes an actionable set of steps for a manageable and smooth SOX compliance effort. Using this process, IT managers will be able to satisfy the compliance requirements of auditors, as well as ensure business alignment, satisfactory control, and robust security in their IT systems. First you need to discover sensitive data across the enterprise and gather risk profile for the different data sets. There is a need to take a top-down, risk-based approach to ensure that sufficient and appropriate attention is given to areas of highest risk. Then the next step is to assess the discovered infrastructure (servers, databases) and identify, report and remediate vulnerabilities, misconfigurations and gaps in security best practices. SOX requires restricting user access to sensitive data based on business need to know. You need to set controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application. The fourth step of the compliance framework is audit & secure. You need to continuously audit and secure alert on significant changes in a person’s usage of financial data so administrators can ensure these changes are in line with compliance policies and prevent fraudulent activity. and, you need to measure and report to demonstrate that configuration and usage are within best practice guidelines. To do it consistently across a heterogeneous environment you need a single platform with the ability to manage and deploy policies and controls automatically
• #22: Locate all databases Find and classify sensitive information Auto-create protection and compliance policies from results Find and remediate excessive rights and dormant users ………….. This capability is valuable to nearly every database security use case. Before you can begin auditing and monitoring database activity, you need to know where your data is. Our Discovery and Classification capabilities will help you not only identify active database services, but more importantly, those that contain sensitive data. We can scan your network and report back on all active databases. Having an accurate database inventory will help you to scope your auditing and monitoring activities, but also identify new databases that you might not know about…we sometimes refer to these are rogue databases. Obviously these can pose a risk to your business, especially if they are using production data. In addition, once these databases are discovered, you have the ability to automatically apply a general audit policy so that you can begin to capture audit details immediately. To further assist in defining scope, SecureSphere can then create a map of database objects that contain sensitive data. For example, we can define database tables that contain credit card numbers, email address and other personally identifiable information or PII. And, because SecureSphere is highly configurable it’s easy to create your own search criteria.
• #23: [CLICK] An electronic payment processor needed to monitor database activity to comply with PCI section 10. They had deployed our Database Activity Monitoring product, applied PCI specific policies and were collecting PCI data and generating reports for their auditors. [CLICK] During review of the audit logs, their ITSecurity team discovered some suspicious activity…ATM card numbers and associated PINs were being stolen by an outside hacker. The business challenge quickly evolved to include stopping data theft [CLICK] They next applied some Security Policies that collected all of the details of the illicit activity and then turned over the access logs to the authorities who conducted forensics and ultimately apprehended the cyber criminals Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
• #24: Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
• #25: Big Data, databases, file servers and SharePoint OOTB policies and reports (HIPPA, SOX, PCI…) Remediation workflows Tamper-proof audit trail Configuration and vulnerability management Pan-estate audit reporting with drill-down dashboard
• #29: Tips for Improving Web Application Security Posture: Deploy WAF in front of all web applications, in addition to perimeter controls Ensure WAF is getting real-time threat intelligence feeds to block advanced attacks Foster secure web application development when possible Schedule regular vulnerability scans of all externally facing web applications Integrate WAF with vulnerability scanners and SIEM solutions for mitigation and IR Ensure WAF provides flexible deployment options – on-premises, cloud, hosting environments
• #33: Any WAF solution should provide flexible and scalable deployment options On-Premises WAF: Protects on-prem web-sites with an on-prem WAF solution, with HA and load-balancing capabilities Cloud-based WAF: Protects on-prem web-sites with a cloud-based WAF solution, with HA, load-balancing and volumetric DDoS protection. Web-traffic is routed through cloud-based WAF, via DNS redirection. Nothing deployed on customer site. WAF deployed in Hosted-sites: Protects web-sites using virtual instances of WAF in a hosting site – like Amazon AWS or Azure or Hybrid envirnmnets. Supports auto-scaling.