Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protect your applications from DDoS/BOT & Advanced Attacks

4,332 views

Published on

  • Be the first to comment

Protect your applications from DDoS/BOT & Advanced Attacks

  1. 1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Protect your Applications from DDoS / BOT & Advanced Attacks AWS x F5 Peter Chan Solutions Architect Amazon Web Services Ryan Lo Regional Manager Shape Security Solutions Engineering F5 Networks Clive Chan Manager Solutions Engineering F5 Networks
  2. 2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Common External Threats SQL Injection Cross-site Scripting (XSS) OWASP Top 10 Common Vulnerabilities and Exposures (CVE) SYN Floods Reflection/Amplification Web Request Floods Crawlers Content Scrapers Scanners & Probes Credential Stuffing Denial of Service App Vulnerabilities Bots
  3. 3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services ü Well Architected Application ü Traffic monitoring for detection and alerts ü Operations and Incident response Cloud native approach Mitigation approach
  4. 4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services AWS Shield Standard Protects AWS services against common DDoS attacks AWS WAF Protects web applications by allowing you to write custom rules or choose managed rules from AWS or the AWS Marketplace. AWS Shield Advanced Resource specific detections, advanced mitigation, access to SRT, enhanced visibility and economic protection AWS Firewall Manager Centrally configure and manage security rules across accounts and applications Protecting the Application Perimeter
  5. 5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services ü Available at no additional charge ü Baselining and anomaly detection across all AWS ü Mitigation with proprietary packet filtering stacks using suspicion based scoring ü Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region ü Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53 Built-in Protection With Shield Standard Automatic Layer 3/4 protection Recommended with CloudFront and Route 53
  6. 6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Enhanced Protection 24x7 access to DDoS Response Team (DRT) CloudWatch Metrics Attack Diagnostics Global threat environment dashboard DDoS Expertise Visibility & Compliance Economic Benefits AWS WAF at no additional cost for protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone
  7. 7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services AWS Shield Advanced
  8. 8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Benefits of AWS Shield Standard and Shield Advanced Detection and Mitigation Faster Mitigation, Customized to Your Application 24x7 Shield Response Team (SRT) Pre-Configured Protection Point and Protect Wizard CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard Quarterly Security Report AWS WAF at No Additional Cost For protected resources AWS Firewall Manager at No Additional Cost Cost Protection for Scaling AWS Shield Proactive Engagement
  9. 9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Protect Resources with AWS Shield Amazon CloudFront AWS Shield Amazon Route 53 Elastic Load Balancing AWS Global Accelerator Elastic IP Address
  10. 10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Easy to configure without changing your application architecture Comprehensive protection against DDoS attack vectors Near-real time event visibility Protection from economic attack vectors AWS Shield Advanced Managed Threat Protection
  11. 11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services 24x7 access to Shield Response Team Before Attack Proactive consultation and best practice guidance During Attack Attack mitigation After Attack Post-mortem analysis
  12. 12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services AWS WAF
  13. 13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Advanced automation: API driven architecture Frictionless set up: No changes required Low operation overhead: Ready to use rules Customizable security: Custom rule engine AWS WAF Web Application Protection
  14. 14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Amazon CloudFront Application Load Balancer Amazon API Gateway AWS WAF Protect Resources With AWS WAF
  15. 15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Option to use a rule building engine or JSON to create custom rules, and define: • Type of rule (regular, rate limit) • Different parts of the request to be inspected (IP, country, HTTP attributes..) • Transformations • Logical combination of statements • Action to take (block, allow, count) • Priority of execution Rule Groups
  16. 16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Set of pre-configured rules that you can deploy on your application • Covers common attack vectors and threats • Curated and maintained by threat research team • Influenced by OWASP Top 10 Web Application Security Risks Available to all customers at no extra charge AWS Managed Rules
  17. 17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services • Rules written, updated, and managed by security experts • Pay as you go: No lock-in or long-term commitment • Easy to deploy • Choice of protections • OWASP Top 10 & other web exploits • Common Vulnerabilities and Exposures (CVE) • Bot protection • IP reputation lists • CMS rules (WordPress, Joomla, and others) • Apache and NGINX vulnerabilities Marketplace Rules
  18. 18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services CloudWatch metrics • Metrics on every rule • Allowed | Blocked | Counted | Passed Sampled web requests • Detailed logs of a sample of requests • Automatically available for every rule Full logs • Detailed logs of every request • Optionally enabled for your web ACL Use case Set alarms for notifications Use case Quickly test AWS WAF rules Easy triaging on the console Use case Security analytics, monitoring, automation, auditing, and compliance Visibility options
  19. 19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Dashboards for WAF SumoLogic
  20. 20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Basic Bot Mitigation using AWS WAF Amazon Managed Rules for WAF • Amazon IP reputation list • Anonymous Proxy list Rate Based Rules • AWS WAF RBRs Advanced bot protection by AWS partner • F5 Shape Security
  21. 21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services AWS Firewall Manager
  22. 22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Ensure compliance to mandatory rules across organization Central management of rules across accounts & applications Enable rapid response to attacks across all accounts AWS Firewall Manager Automatically discover new accounts and remediate non-compliant events AWS Firewall Manager
  23. 23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Governance examples
  24. 24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services AWS WAF AWS Shield VPC Security Groups AWS Security Hub Findings in Security Hub
  25. 25. | ©2020 F530 Overview of F5 Managed Security Solutions Clive Chan Manager, Solutions Engineering, HK & Macau
  26. 26. | ©2020 F531 Average Total Cost of a Data Breach Percentage of traffic that is fake or Bot based Shortage of Cybersecurity Experts The Challenges Number of credentials stolen or leaked in 2018 4.07M$3.92M 3 Billion90% F5 LabsShape Security2019 (ISC)2 Cybersecurity Workforce Study IBM/Poneman - 2019 Cost of a Data Breach Report
  27. 27. | ©2020 F532 Your Options For customers that have a large poolof resources and expertise For customers that have DevOps environments or have apps that are constantly changing. For customers with sufficient engineering and SOC resources. For customers that prefer to have their SOC conduct real-time monitoring and incident response. Do It Yourself 3rd Party SecPaaS For customers able to leverage the resources to implement, manage and monitor advanced technical security services 24x7x365. For customers looking for multi-cloud and hybrid (on-premises and cloud) integrated security. Managed Security Service
  28. 28. | ©2020 F533 F5 Silverline Managed Security Services 100+ Security Experts 130+ Countries Serviced 15,000+ Websites Protected 48 Different Verticals 9.4/10 Customer Satisfaction Proven WAF,API, Fraud and Bot mitigation technology Protection of network and web/mobile applications 24x7 global SOC Flexible, reliable, secure and compliant FOR MODERN AND MULTI-CLOUD BUSINESSES
  29. 29. | ©2020 F534 F5 Silverline Managed Services Offerings Silverline Shape Defense Protection against Bots and sophisticated credential stuffing and account take over attacks, carding, and OWASP Automated Threats Patented telemetry and signal collection along with advanced AI/ML Silverline Threat Intelligence Restrict access to customer’s networks and infrastructure for known bad actors (botnets, scanners, spammers, anonymous proxies, etc.) Enable granular threat reporting and automated blocking Silverline Web Application Firewall Managed provisioning and service enablement Expert created WAF policies with specific customization with different customer
  30. 30. | ©2019 F5 NETWORKS35 F5 Silverline Managed Services Global SOC 24x7x365 Continuous Monitoring and Incident Response • Seattle, WA, United States • Warsaw, Poland • Guadalajara, Mexico Global Deployment Model Fully Redundant and Globally Distributed Data Centers • San Jose, CA, US • Ashburn, VA, US • Columbus, OH, US • Frankfurt, Germany • London, UK • Singapore, SG • Sydney, AU | ©2020 F5 NETWORKS35 Active Operations Centers Future Operations CentersSOC Locations • Hong Kong, HK • Mumbai, IN • Montreal, CA • São Paulo, BR • Manama, BH • Tokyo, JP
  31. 31. | ©2020 F536 How Silverline Works
  32. 32. | ©2020 F537 CONFIDENTIAL F5 Silverline Managed Services Value Proposition Enables business transformation Lowers investment risks Enables Business Supports multi-cloud strategy No infrastructure to buy and manage No capex. No lock-in. Lower TCO and IT risks Supports IT Improved threat detection and incident response Secure access to cloud and on-premises applications Flexible options to ‘right- size’ the services Improves Security Maintains PCI and HIPAA Supports customers’ SOX/GDPR/PCI/HIPAA Reduces time to achieve and the cost of managing compliance Maintains Compliance
  33. 33. Protect Your Applications from DDoS & Advanced Attacks (BOT & Credential Stuffing) Ryan Lo Regional Manager, Solutions Engineering F5 Shape Security August 2020
  34. 34. ?
  35. 35. Confidential / / Part of F5 4 0 You probably have used Shape before and using Shape NOW. We’re the reason you login a lot less and see fewer CAPTCHAs ?
  36. 36. Confidential / / Part of F5 4 1 Ridiculous captchas 2FA by trying to remember your favorite pizza toppings Password resets Currently, the burden of proving known good is on human users Lots of repetitive logins
  37. 37. Confidential / / Part of F5 Security vs User Experience Confidential 42
  38. 38. Confidential / / Part of F5 Cybercriminals Bypass CAPTCHA Through Solver Service Confidential 43
  39. 39. Confidential / / Part of F5 CAPTCHA Cannot Stop Bad Actors Confidential 44
  40. 40. Confidential / / Part of F5 CAPTCHA Cannot Stop Bad Actors But Block the Real Users Confidential 45
  41. 41. Confidential / / Part of F5 Currently, the burden of proving known good is on human users Confidential Nintendo suggests users to secure their Nintendo Account by enabling 2-Step Verification 46
  42. 42. Confidential / / Part of F5 Fraud occurs when Criminals act like Legitimate Users ? ? ? ? Users (criminals mixed in with good users) Web, Mobile Apps and API Endpoint (serve good users & criminals alike) Criminals (not evident until it’s too late) Organisations must be open to anyone, anywhere, on any device
  43. 43. Confidential / / Part of F5 Retail – Reward Program Aggregators They provide a valuable alternative
  44. 44. Confidential / / Part of F5 Retail – Reward Program Aggregators How do fintechs and rewards program operators differentiate good from bad users?
  45. 45. Confidential / / Part of F5 Retail – Reward Program Aggregators They provide a valuable alternative
  46. 46. Confidential / / Part of F5 Retail – Reward Program Aggregators They provide a valuable alternative
  47. 47. Confidential / / Part of F5 Retail – Reward Program Aggregators They provide a valuable alternative
  48. 48. Confidential / / Part of F5 Retail - Inventory Lockout How many Bots are in front of you?
  49. 49. Confidential / / Part of F5 Retail - Sneaker Bots
  50. 50. Confidential / / Part of F5 Retail - Sneaker Bots
  51. 51. Confidential / / Part of F5 Retail - Sneaker Bots Shape signals can identify device farms
  52. 52. Confidential / / Part of F5 Travel - Inventory Scraping Scrapers are increasing the airline’s infrastructure costs and affecting the airline’s ability to manage revenue
  53. 53. Confidential / / Part of F5 Travel - Inventory Scraping How to simulate user behavior through Selenium Attackers started with developer libraries like Selenium and Puppeteer before creating custom tools.
  54. 54. Confidential / / Part of F5 Results - A Fortune Global 2000 Customer April May June 6M 5M 4M 3M 2M 1M 0 HUMAN DETECTED & BLOCKEDDETECTED & FLAGGEDPOSTS TO /LOGIN EVERY THREE HOURS Mitigation Mode (on attacker fingerprints) Mitigation Mode (on new fingerprint Attacker Gives Up Retool Detected in Stage II (update Stage I) Observation Mode (flagging only)
  55. 55. Confidential / / Part of F5 Multi-stage detection is paramount Shape provides multi-stage detection as a service WEB & MOBILE BROWSER INTERNET NATIVE MOBILE APPS Mobile SDK CUSTOMER ORIGIN SERVERS 24x7 STAGE IISTAGE I MACHINE LEARNING ARTIFICIAL INTELLIGENCE Good Traffic Bad Traffic AWS CloudFront JS
  56. 56. Confidential / / Part of F5 Reducing Friction, Fraud and Fiction 61 Identify and mitigate unwanted traffic Differentiate good customers from bad customers Create a friction free user experience and increase revenue
  57. 57. Confidential / / Part of F5 Multi-stage detection is paramount Shape provides multi-stage detection as a service WEB & MOBILE BROWSER INTERNET NATIVE MOBILE APPS Mobile SDK CUSTOMER ORIGIN SERVERS STAGE IISTAGE I LOAD BALANCER MACHINE LEARNING ARTIFICIAL INTELLIGENCE appliance Good Traffic Bad Traffic COMPANY COUNTRY SECTOR FUNDING ($ MIL.)
  58. 58. Confidential / / Part of F5 Multi-stage defense enables long term efficacy Actual Shape customer’s journey to less than 1% automation 2019 78 % Automated <1 % Automated 2018
  59. 59. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Q & A
  60. 60. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Thank you Please give us feedbacks!
  61. 61. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Private subnet Protecting web applications Amazon CloudFront Amazon Route 53 AWS WAF AWS Cloud Public subnet ALB AWS Edge Services Region AWS WAF Compute Capacity Amazon S3 Shield Advanced protected resource VPC
  62. 62. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Public subnet Protecting latency sensitive applications AWS Global Accelerator Amazon Route 53 AWS Cloud Network Load Balancer AWS Edge Services TLS Region Private subnet Compute Capacity Shield Advanced protected resource EI P VPC
  63. 63. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services Costs Service Cost WAF Web ACL $5.00 per month (prorated hourly) Rule $1.00 per month (prorated hourly) Request $0.60 per 1 million requests Firewall Manager Charges incurred by AWS Firewall Manager are for the underlying services, such as AWS Config(additional charges may apply if not subscribed to Shield Advanced) Shield Advanced Subscription Commitment 1 Year* Monthly Fee per Organization $3,000.00 Data Transfer Out Usage Fees Apply

×