Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Radware Cloud Security Services
1. May 16, 2016
Radware Cloud Security Services
Real World Threats Meet Real World Protection
2. About Radware
2
Market Leader in Application
Availability solutions
>$200M RevenueAwarded Best Managed
Security Service 2016
Chosen by Cisco Firepower 9300 and Checkpoint NG Firewall
appliances as OEM partner
3. Introducing Radware’s Cloud Security Services
3
Cloud WAF Service Cloud DDoS Protection Service
Hybrid | Always-On | On-Demand
Full enterprise-grade cloud protection services that
protect from multi-vector threats to prevent
outage and minimize service-level degradation
5. The Web Security Challenge
It’s like trying to hit a moving target.
ALWAYS. ALL THE TIME.
Ever Evolving
Threats
Ever Evolving
Applications
Ever Limiting
Resources
5
6. Ever Evolving Threats
Exponential 10X growth
cyber-crime alone costing the global economy
approximately $445 billion a year.
Swiss-based encrypted email service provider
Real-Life Example:
Back-to-back attacks for
over 14 days
High volume attack between
30-100 GB
Up to 8 simultaneous attack vectors
every day
Radware deployed emergency service
a few days into the campaign and was
able to mitigate the attacks
In new malware programs since 2012
Source: www.av-test.org
More than 35%
experienced SSL-based attacks in Y2015
Source: Radware Global Application & Network Security Report, 2016
An increase of more than 60%
since 2010 in the number of new vulnerabilities every year
Source: National Vulnerability Database (NVD)
Almost 100% of attack campaigns
today are multi-vector campaigns
Source: Radware Emergency Response Team
6
7. Ever Evolving Applications
The world has moved to continuous application delivery
Most successful
applications release 1-4
updates a month
Source: savvyapps.com
The number of distributed
teams that practice Agile has
doubled this year, rising from
35% to 76%
Source: Versionone research
Nearly 57% of organizations
have adopted Agile
methodology
Source: Versionone research
teams Practice Agile
76%
adopted Agile
57%
releases a Month
1-4
7
8. Ever Limiting Resources
45% experience difficulty to
find the qualified personnel
they require
Source: The 2015 (ISC)² Global Information
Security Workforce Study by Frost&Sullivan
54% of IT security employers
experiencing a talent shortage say
that it has a medium or high
impact on their ability to meet
client needs
Source: HP IT Security Jobs Report, 2014
70% of respondents say their
organizations do not have
enough IT security staff
Source: HP IT Security Jobs Report, 2014
looking for
qualified personnel
45%experiencing impact on
meeting client needs
54%
need IT security staff
70%
8
10. Radware Cloud Security Services
Ever Evolving Threats Ever Evolving Applications Ever Limiting Resources
Automatically adapting to
evolving threats and applications
Continuously
Adaptive
Widest security coverage with the
shortest time to protect
Unmatched
Protection
Fully managed
cloud service
Fully
Managed
10
11. Continuously Adaptive Cloud Security Service
Automatically
detect & mitigate
zero-day attacks
Automatically
detect & mitigate
zero-day attacks
Automatically detect &
protect new applications
Automatically identify &
block attacks regardless
of source IP
11
12. Multi-layered protection covering all attack types
Unmatched Protection
12
Widest Security Coverage
Unique SSL-Based Attack Mitigation
Negative + Positive Models
Network-layer, Application-layer, Web-based,
SSL-based, volumetric and non-volumetric
Maintains user data confidentiality
Removes certificate key dependencies
Accuracy of detection and mitigation for
known and unknown attacks
13. As Simple as it Gets: Fully-Managed Cloud Security Service
24x7 dedicated team of
security experts for fast
mitigation under attack
13
Fully-managed 24/7 service by Radware’s battle-proven ERT
24/7 DDoS
Protection
Online Portal &
Reporting
On-Premise Device
Management
Periodic Security
Consulting
14. Cloud DDoS Protection - Under Attack Example
14
Canadian Secure Email
Service Provider
Radware deployed Cloud DDoS Protection a few days into the
campaign
Attack traffic immediately diverted to Radware Scrubbing Center
Legit traffic advanced to customer website restoring its operation
Service resumed with no impact on customer’s business
SOLUTION
Pro-active monitoring in real time by Radware's ERT
Immediate diversion to scrubbing center ensuring service
continuity
Ensure optimal application SLABENEFITS
SITUATION
DDoS protection service provider Staminus suffered a network
outage and a data leakage caused by a DDoS attack
Following Staminus takedown, the attack raged onto their clients
A persistent multi-vector campaign reaching 130Gbps traffic blend
15. Be the First To Know with Full Visibility
15
Real-Time Monitoring
Comprehensive Reporting
Ticket Work Flow Management
Role/User Based Access Control
16. Robust Global Cloud Security Network
Segregate clean and
attack traffic with
dedicated scrubbing
centers
Over 2TB of global
mitigation capacity
16
Radware Scrubbing Centers
Radware Security Cloud
18. Fully-managed enterprise-grade WAF service
Operated by Radware ‘battle-proven’ ERT
Using Radware’s WAF technology
Full coverage of ALL OWASP Top-10
ICSA Labs certification
Auto-policy generation for new applications
0-day web-attack protection
IP-Agnostic attack protection with Device Fingerprinting
Radware Cloud WAF Service
18
WEB APPLICATION FIREWALL
Top 10-2013
The Ten Most CriticalWeb ApplicationSecurityRisks
Unmatched Web Security Protection
Web Application Attack Categories Covered
TCP Termination & Normalization
HTTP Protocol attack (e.g. HRS)
Path traversal
Base 64 and encoded attacks
JSON and XML attacks
Login Protection
Password cracking – Brute Force
Attack Signature and Rules
Cross site scripting (XSS)
Injections: SQL, LDAP
OS commanding
Server Side Includes (SSI)
LFI/RFI Protection
Local File Inclusion
Remote File Inclusion
Session Protection
Cookie Poisoning
Session Hijacking
Data Leak Prevention
Credit card number (CCN)
Social Security (SSN)
Regular Expression
Access Control
Predictable Resource Location
Backdoor and debug resources
File Upload attacks
19. Zero-Day Web Attack Protection
Negative Security Model
Blocks known attacks via known signatures and rules
Standard across most WAF technologies
Does not help protect from unknown vulnerabilities and 0-day attacks
Positive Security Model
Learns and defines what actions are allowed; all the rest is blocked
Blocks unauthorized access or actions that are not permitted
Protects from 0-day attacks and unknown vulnerabilities
Higher layer of protection; more specific and tighter protection
20. Protect New Applications with Auto Policy Generation
App Mapping Threat Analysis Policy Generation
& Optimization
Policy Activation
BEST SECURITY COVEREGE OVER 150 attack vectors covered through auto threat analysis
~0false positives through auto-optimization of out-of-box rulesLOWEST FALSE-POSITIVES
SECURITY ASSURANCE AUTO DETECT web application changes
20
21. Unique IP-Agnostic Fingerprinting Protection
System Fonts Screen Resolution
Browser Plug-ins
Local IPs
Device Reputation for bot detection and blocking
21
Operating System
Beyond IP address blacklisting: detailed device
fingerprinting through multiple parameters
Enables precise activity tracking over time and
development of IP-agnostic Device Reputation
Provides advanced protection from:
Website Scraping
Brute Force Attacks
HTTP Dynamic Floods
Dynamic IP Attacks
22. Fingerprinting Case - Leading US Airline
22
Major US Airline
Airline unable to sell the seats to real customers
Dynamic source-IP attacks so security protection could
not differentiate between “good” and “bad” bots
Chose Radware’s WAF with fingerprinting technology to
block dynamic IP attack
Sophisticated attacks - bad bots programmed to
“scrape” certain flights, routes and classes of tickets.
Bots acting as faux buyers—continuously creating but
never completing reservations on those tickets
23. Radware Cloud WAF Service - Offering Sets
23
GOLD
Dedicated policy for each
web application
PCI Compliance ready policy
Added protection from data
and access centric attacks
SILVER
Single shared policy for
multiple web applications
Basic security offering to
secure against common web
attacks
PLATINUM
OWASP Top 10 coverage
Extended security policy
Zero-day attack protection
Advanced attack protection
Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumetric DDoS-attack protection available at additional cost
27. Automatic Real-Time Signature Generation
Automatic real-time signature generation
for zero-day attacks
Radware
18
SECONDS
Manual signature generation
for zero-day attacks
Non-Radware
30
MINUTES
Protections for zero-day attacks within seconds
27
28. Unique SSL DDoS Attack Mitigation
L4 challenges initiated on suspicious traffic -> user is validated as legitimate
Legitimate SSL connections are not deciphered -> no added latency, user data confidentiality is maintained
Customer certificate management remains unchanged
Covers all SSL DDoS threats, including Encoding, Evasion, and Single Packet attacks, and SQL injection over SSL
ApplicationUser Domain
ServerUser
Radware Cloud
Independent Certificate Management
Validate User
User Validated
28
29. Cloud DDoS Protection Service Deployment Alternatives
Hybrid Cloud
Always-on Cloud
29
On-Demand CloudCloud DDoS
Protection Service
31. Cloud DDoS Protection Service Deployment Alternatives
Hybrid Cloud
Always-on Cloud
31
On-Demand CloudCloud DDoS
Protection Service
32. Hybrid Cloud DDoS Protection Service
Detect where you can. Mitigate where you should.
Integrates with on-premise attack mitigation device
Minimal induced latency in peacetime - traffic diverted only when pipe saturation
Shortest time to protect - mitigation starts immediately on-premise
No protection gap when traffic is diverted to the cloud - DefenseMessaging for synchronized protection
Single point of contact and extensive (optional) managed services - ERT Standard or Premium
Recommended for organizations that can deploy CPE in their data center
32
33. Hybrid Cloud DDoS Protection Service
Protected OrganizationRadware Cloud DDoS Protection service
ERT and the
customer decide to
divert the traffic
Defense
Messaging
Sharing essential
information for attack
mitigation
33
On-premises CPE
mitigates the attack
AppWallDefensePro Protected Online
Services
Internet
Large volumetric
DDoS attack that
saturates the pipe
DefensePros
34. Sharing essential
information for attack
mitigation
Hybrid Cloud DDoS Protection Service
Protected OrganizationRadware Cloud DDoS Protection Service
Internet
Clean traffic
34
Defense
Messaging
ERT and the
customer decide to
divert the traffic
DefensePros
AppWallDefensePro Protected Online
Services
35. Cloud DDoS Protection Service Deployment Alternatives
Hybrid Cloud
Always-on Cloud
35
On-Demand CloudCloud DDoS
Protection Service
36. Always-On Cloud DDoS Protection Service
Recommended for organizations that have apps on public cloud or cannot
deploy a CPE in their data center
Shortest time to protection – traffic continuously routed through Radware’s cloud POPs, at all times
Minimal need for customer involvement – proactively fully-managed by Radware ERT
Unlimited service – supports unlimited # of attacks, size and duration
Additional cost for always routed traffic
As simple as it gets: Let Radware handle it all
36
37. Always-On Cloud DDoS Protection Service
37
Protected OrganizationRadware Cloud DDoS Protection service
Internet
Clean traffic
All traffic is always
routed through
Radware Cloud
service; all attack
traffic cleaned by
Radware
DefensePro
No on-premise
device
DefensePros
Protected Online
Services
AppWall
38. Cloud DDoS Protection Service Deployment Alternatives
Hybrid Cloud
Always-on Cloud
38
On-Demand CloudCloud DDoS
Protection Service
39. On-Demand Cloud DDoS Protection Service
Recommended for organizations looking for lowest cost solution and less
sensitive to real-time detection of application-level and SSL-based DDoS attacks
Traffic diverted to cloud only upon volumetric DDoS attacks. No on-premise appliance.
Diversion based on link utilization thresholds, flow statistics, or manually
Attack volume unlimited, but limitation on annual number of diversions
ERT Standard service only: supporting attack mitigation on-demand
Limited ability to detect application-level DDoS attacks
Lowest cost. Simplest deployment model.
39
40. Protected OrganizationRadware Cloud DDoS Protection service
40
Attack is launched
against the
organization
Internet
Large volumetric
DDoS attack that
saturates the pipe
DefensePro
No on-premise
device
On-Demand Cloud DDoS Protection Service
DefensePros
Protected Online
Services
AppWall
41. Protected OrganizationRadware Cloud DDoS Protection service
Internet
Clean traffic
41
ERT and customer
decide to divert
traffic based on link
utilization or flow
statistics, or manually
On-Demand Cloud DDoS Protection Service
Link utilization or
flow statistics
DefensePros
Protected Online
Services
AppWall
42. Cloud DDoS Protection Service Deployment Alternatives
Hybrid Cloud
Always-on Cloud
42
On-Demand Cloud
Traffic diverted only when pipe saturation
Minimal induced latency in peacetime
Unlimited # of attacks, size and duration
ERT Standard or Premium (managed service)
Minimal need for customer involvement
Unlimited # of attacks, size and duration
ERT Premium service level only
Additional cost for always routed traffic
Lowest cost; Simplest deployment
Detection based on link utilization thresholds or flow stats
Limitation on annual number of diversions
ERT Standard service only
Limited ability to detect application-level and SSL-based DDoS
attacks
For organizations that
can deploy CPE in
their data center
For organizations that
have apps on public
cloud or cannot deploy
CPE in their data center
For organizations that
that are less sensitive to
real-time detection of
application-level and SSL-
based DDoS attacks
Real-Time Monitoring
Across all Radware Security Modules
3rd Party Event Notifications
Comprehensive Reporting
Historical Reporting Engine
Customizable Dashboards
Advanced Forensics Reports
Compliance Reports
Ticket Work Flow Management
Event Correlation Engine
Role/User Based Access Control
Unmatched Enterprise-grade Web Security Protection
The Hybrid Cloud WAF Service is based primarily on Radware's web application firewall – AppWall.
Provides FULL coverage from ALL the OWASP top-10 attacks
Is ICSA Labs certified
Supports both negative and positive security models:
Positive security policies are based on behavioral analysis technology. The security technology learns what the possible inputs per each web page are and what the typical values per each input field are. It then locks the policy to the allowed ranges of values. positive security profiles are a proven protection against zero-day attacks.
Negative security policies are based on static signature detection technology. The WAF module stores a signature file that covers thousands of known application vulnerabilities and exploits that are checked against every user transaction. Once a signature match is found – the session is terminated and the attack is blocked
Has the unique ability to generate policies automatically:
Patent-protected technology to create and maintain security policies for the widest security coverage with the lowest false positives and lowest operational effort.
A four step flow to create and maintain security policies – Application Mapping, Threat Analysis, Policy Generation, Policy Activation
No other WAF can do that and it eliminates many of the complexities involved with setting up and configuring existing WAF solutions.
Major US Airline
Experienced sophisticated attacks where bad bots were programmed to “scrape” certain flights, routes and classes of tickets.
Bots were acting as faux buyers—continuously creating but never completing reservations on those tickets
Resulting in the airline unable to sell the seats to real customers
Invested in security protection but wasn’t able to differentiate between the “good” bots and the “bad” ones as the attackers dynamically changed the source IP.
Chose Radware’s AppWall with fingerprinting technology to block dynamic IP attacks
Lead example for need for Fingerprinting technology – blocking beyond source IP
Emphasize the ability to differentiate between good and bad bots
Highlight the challenges with source IP blocking with the growing dynamic IP attacks
This is another unique capability in Radware’s solution. We are able to detect attacks more accurately, with lower false positives, by using patent protected behavioral analysis algorithm. Using this, we can accurately differentiate between a spike of traffic that is legitimate (for example – a marketing campaign or promotion) and a spike of traffic that is illegitimate – an attack.
Compare to a rate-based technology that simply blocks traffic above a certain rate and, in this way, blocks legitimate traffic as well, we will not block your legitimate traffic and allow users to access your applications during peak traffic times as they should.
Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications.
Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry.
Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well.
DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
When an Attack Starts
On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement
Defense Messaging
DefensePro sends ‘pipe utilization’ messages to DefensePipe
Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve
Single Point of Contact
Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud
Attack is handled with the customer from inception at the customer’s premise
When an Attack Starts
On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement
Defense Messaging
DefensePro sends ‘pipe utilization’ messages to DefensePipe
Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve
Single Point of Contact
Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud
Attack is handled with the customer from inception at the customer’s premise
Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications.
Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry.
Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well.
DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
When an Attack Starts
On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement
Defense Messaging
DefensePro sends ‘pipe utilization’ messages to DefensePipe
Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve
Single Point of Contact
Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud
Attack is handled with the customer from inception at the customer’s premise
Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications.
Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry.
Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well.
DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
When an Attack Starts
On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement
Defense Messaging
DefensePro sends ‘pipe utilization’ messages to DefensePipe
Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve
Single Point of Contact
Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud
Attack is handled with the customer from inception at the customer’s premise
Link utilization thresholds by SNMP trap; MIB. Periodically sampled by our NOC every 1 min (configurable). Provides only throughput data. Threshold usually configured as 75% link utilization over 30 min.
Flow statistics collected by our NOC. Router is configured to periodically sent to us (every 1 min.) the flow statistics. Thresholds allow some baselining of peacetime legit traffic, so volumetric attack detection is more granular. However, application-level attacks on specific resources is not available, such as SSL attacks that aim to starve SSL connection per second capacity, or HTTP DDOS.