AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applications (SAC316)

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
December 1, 2016
SAC316
Security Automation Using AWS WAF:
Spend Less Time Securing Your Applications

What to expect from this session
Introduction to
AWS WAF
AWS WAF 101

Introduction to
AWS WAF
AWS WAF security
automation strategies
AWS WAF 101

Introduction to
AWS WAF
AWS WAF security
AWS WAF 101
5 automation strategies
1. Provisioning WAF
2. Deploying WAF
3. Importing rules
4. Automated incident response
5. Learning-based protections

AWS WAF security
AWS WAF 101
Demo and getting
started
Introduction to
AWS WAF

Why AWS WAF?
Application vulnerabilities
Good users
Bad guys
Web server
Database
Exploit
code AWS
WAF

Why AWS WAF?
Content abuse: Bots and scrapers
Good users
Bad guys
Web server
Database
AWS
WAF

Why AWS WAF?
Application DDOS
Good users
Bad guys
Web server
Database
AWS
WAF

AWS WAF: Rules in action
Monitor security events

AWS WAF: Integrated with AWS
Amazon CloudFront
Global content delivery network to accelerate
websites, API, video content, and other web assets

AWS WAF: Integrated with AWS
Amazon CloudFront Application Load Balancer
Load balancer with advanced request routing, and support
for microservices and container-based applications
Global content delivery network to accelerate
websites, API, video content, and other web assets
Announcing today..

Why is ALB integration important?

Applications not using Amazon CloudFront
Good users
Bad guys AWS WAF
region
Amazon CloudFront
Amazon S3

Block traffic that bypass any proxy, like CDN
Good users
Bad guys
AWS WAF region
Amazon
CloudFront
AWS WAF

Protect internal load balancer
Good users
Bad guys AWS WAF
region
Application
server
NGINX TLS
termination
TCP/SSL
ELB

Introduction to
AWS WAF
AWS WAF security
AWS WAF 101
Demo and getting
started

Why security automation
Spend less time securing your applications
Instead, focus on building applications

We built a WAF that has…
Customizable and
flexible rules
APIs: Integration
with DevOps
…allowing several WAF automation strategies
Quick rule update

AWS WAF security automation strategies..
Provisioning WAF Configuring rules Importing rules Automated incident
response
Learning-based
protections
… to spend less time securing applications

AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident
response
Learning-based
protections

Provisioning AWS WAF
Step 1 –
Create
web ACL

Rule 1: Whitelist [ALLOW]
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection [BLOCK]
Step 1 –
Create
web ACL
Step 2 – Add rule

IP whitelist
SQL injection
URL match
IP blacklist
Step 1 –
Create
web ACL
Step 2 – Add rule Step 3: Add condition

IP Whitelist
SQL injection
URL match
IP Blacklist
Step 1 –
Create
web ACL
Step 2 – Add rule Step 3: Add condition
Step 4:
Associate
CloudFront
ALB

Provisioning AWS WAF: Reuse
Spend less time by reusing WAF rules

IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)

IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)

Quickly fix vulnerabilities
Example: {CVE-2016-538}
• Server-side web applications that utilize the HTTP_Proxy header as an environment
variable
• Attacker could intercept connections between a client and server.
Quick solution:
Use AWS WAF to configure a rule to detect and block web requests that contain a proxy
header.

IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)

IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)
Rule 5: CVE-2016-538 [BLOCK] Header match

Negative
Typical of prod deployment
ALLOW by default
BLOCK known bad
Provisioning AWS WAF: Rule strategy
Positive
Typical of restricted site
BLOCK by default
ALLOW known good
Examples:
• BLOCK MalwareIncIPRange
• BLOCK “{;}”
Examples:
• ALLOW SeattleOfficeIPRange
• ALLOW referrer header “example.com”

Demo
Show how to get started
Reusing rules

Configuring AWS WAF rules
IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)

How to quickly get started with
common protections?

Preconfigured AWS CloudFormation templates for common protection
CloudFormation template
AWS WAF Configuration

Configuring AWS WAF: Common protection
Enable common protections
 SQL injection
 Cross-site scripting
 Attack from known bad IP addresses

Preconfigured protections: Customer example
Need quick setup and common
protections like SQLi, XSS
“Overall, the entire stack so far has been extremely helpful. I truly would say that
this stack should almost be a standard built-in for anyone looking to use WAF as I
cannot begin to tell you how useful and truly effective it is.”
Describe eVitamins

Create a rule to block SQLi
/login?x=test%20Id=10
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL decode
True
Match: SQL injection
False

Configuring AWS WAF: Common protection
Demo

IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)
Can we improve the common protections?

It is possible for almost any email server to block over 90% just
based on IP reputation
- http://www.spamrats.com/ip_reputation_spam_stats.pdf
IP reputation lists can identify roughly 90% of all spam
- http://www.acm.org/
- (http://dl.acm.org/citation.cfm?id=1831448)

Importing AWS WAF rules
Import open source IP reputation lists

Importing AWS WAF rules
Open source IP reputation lists

Configuring AWS WAF Rules
IP whitelist
internal IP
SQL injection
URL match
IP blacklist
known bad
Web ACL #1
ALB 1
(dev env)
XSS match
Web ACL #2ALB 2
(prod env)
ALB 3
(new app)
Rule 6: IP reputation [BLOCK]
IP blacklist
known bad

So far,
 Whitelist known good
 Blacklist known bad IP
 Common protections like SQLi and XSS
 Import IP reputation list

So far,
 Whitelist known good
 Blacklist known bad IP
 Common protections like SQLi and XSS
 Import IP reputation list
How can you customize rules for your application?

Provisioning WAF Configuring rules Importing rules Automated
incident response
Learning-based
protections

• Set-and-forget rules are very effective
• But are not customized for your applications
• Malicious actors are adaptive and persistent
• Incident response for threat mitigation

Traditional incident response
Good users
Bad guys
Server
AWS
WAF
Logs Threat
analysis
Notification
Security engineer

We need..
• Sophisticated out of band analysis
• Integrate application-specific data sources
• Automated incident response

Automated incident response
Good users
Bad guys
Server
AWS
WAF
Logs Threat
analysis
Rule updater
Notification
Security engineer

AWS WAF for automated incident response
Automatically respond to incidents based on real-time analysis
APIs for automation ~1 min rule updateReal-time processing

Security automation: Use cases
HTTP floods Scans and probes Bots and scrapers
Attackers
Use cases that static rules cannot protect effectively

WAF example: A technical implementation
Blocking bad bots dynamically with AWS WAF web ACLs

WAF example: Blocking bad bots
What we need…
• IPSet: Contains our list of blocked IP addresses
• Rule: Blocks requests if requests match IP in our IPSet
• Web ACL: Allow requests by default; contains our Rule
and…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IPSet

WAF example: Detecting bad bots
• Use robots.txt to specify
which areas of your site or web
app should not be scraped
• Place file in your web root
• Ensure there are links pointing
to nonscrapable content
• Hide a trigger script that
normal users don’t see and
good bots ignore
$ cat webroot/robots.txt
User-agent: *
Disallow: /honeypot/
<a href="/honeypot/"
class="hidden" aria-
hidden="true">click me</a>

WAF example: Blacklist bad bots
• Bad bots (ignoring your robots.txt)
will request the hidden link
• Trigger script will detect the
source IP of the request
• Trigger script requests change
token
• Trigger script adds source IP to
IPSet blacklist
• Web ACL will block subsequent
request from that source
$ aws --endpoint-url
https://carrot.amazon.com/ carrot get-
change-token
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}
$ aws --endpoint-url
https://carrot.amazon.com/ carrot update-
ip-set --cli-input-json '{ "IPSetId":
”<<IP SET ID>>", "ChangeToken":
"acbc53f2-46db-4fbd-b8d5-dfb8c466927f",
"Updates": [ { "Action": "INSERT",
"IPSetDescriptor": { "Type": "IPV4",
"Value": ”<<SOURCE IP>>/32" } } ] }’
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}

Automated incident response using AWS WAF
Automated incident response is effective
Customized for your application

Automated incident response: Customer example

MapBox uses WAF to protect from bots
Good users
Bad guys
Serve
r
AWS
WAF
Logs
Threat
analysis
Rule updater

Automated incident response using AWS WAF
• But attackers are persistent
• Adapt to firewall rules
Can we adapt our firewall rules?
Build continuously learning automated security

Provisioning WAF Configuring rules Importing rules Security Automation Learning-based
protections

What is machine learning
Machine learning is the technology that automatically finds
patterns in your data and uses them to make predictions
for new data points as they become available
Your data + machine learning = smart applications

Amazon Machine Learning
Easy-to-use, managed machine learning service
built for developers
Robust, powerful machine learning technology
based on Amazon’s internal systems
Create models using your data already stored in
the AWS Cloud
Deploy models to production in seconds

AWS WAF with Amazon Machine Learning
Amazon Machine Learning
GoodHTTPrequests
BadHTTPrequests
2. Train model1. Build model 3. Evaluate model
4. Retrieve
prediction
ALLrealHTTPrequests
UpdateAWSWAF
AWS WAF

A PoC on learning-based WAF

The problem:
Detect requests from domain generation algorithms
Solution:
Use referrer header to detect bad domains visiting my website based
on machine learning

1. Data preparation – Feature engineering
2. Train model based on known good and
bad domains
3. Evaluate using real data

1. Data preparation – Feature engineering

2. Train model based on known good and bad domains
Good domains: Alexa 10,000
Bad domains: Known phishing domains

3. Evaluate using real data
Use raw logs from CloudFront logs
#Version: 1.0
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-
edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-
type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200
www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit
MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit
HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304
www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit
xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1

Demo

Category Result
Accuracy 98%
Recall true positive rate 78%
False positive rate 1%
True negative rate 99%
How good is our machine learning model

Summary
1. Provisioning WAF – Reuse rules
2. Configuring WAF – Get started in minutes using CloudFormation template
3. Importing rules –
4. Automated incident response – DevOps WAF
5. Learning-based WAF –

Summary
Provisioning WAF
Reuse rules
Configuring rules
Configure common
protections in minutes
using CloudFormation
templates
Importing rules
Automated reputation
list from external
sources
Automated incident
response
Advanced
application-specific
firewall rules
Learning-based
protections
Smart adaptive
protections using
Amazon ML

Remember to complete
your evaluations!

Thank you!
Get started with AWS WAF:
https://console.aws.amazon.com/waf

AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applications (SAC316)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applications (SAC316)

Similar to AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applications (SAC316) (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applications (SAC316)