Post on 08-Aug-2015
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Sponsored by
Webinar Logistics
• Enable pop-ups within your browser
• Turn on your system’s sound to hear the streaming presentation
• Questions? Submit them to the presenters at anytime on the console
• Technical problems? Click “Help” or submit a question for assistance
Optimize your experience today
POLL #1
What is your biggest concern when it comes to bots?• Web scraping• Click Jacking / Ad Fraud• Website security• Website performance
Single select
Featured PresentersOur knowledgeable speakers today are:
Rami Essaid
CEO & Co-Founder
Distil Networks
John Stauffacher
Author of Web Application Firewalls: A Practical Approach
Sponsored by
Agenda
Anti-Bot Technology Lab Test• Imperva WAF• F5 Networks ASM• Distil Networks
How to Optimize Your WAF for Bot Detection and Mitigation
Why Whitelisting is Always Better than Blacklisting
Optimizing Web App Security Based on Your Vulnerability Profile
8 Best Practices (and 2 Things You Should Never Do!)
Full Disclosure
My Background
• Author of Web Application Firewalls: A Practical Approach
• Security Architect with national consulting firm
• Red Team Member Western Regional Cyber Defense Competition (WRCDC)
• Bug Bounty Participant
Bias
• No compensation
• Free/minimal product licensing costs
Testing scenario is based on a fictitious airline called Superion Air
Superion Air Testing Scenario
Company Background
• Exponential growth (regional to national player)
• “Small IT Shop” stressed by customer demand and growing security threats
• Cloud agreement offers cheap ‘baseline’ rates but high tariffs on ‘bursts’
• Competitors and metasearch upstarts are aggressively scraping their site
Superion Air Testing Scenario
Superion Air’s website and backend systems manage key parts of the enterprise
• Pilots log in to get their schedules
• Maintenance rotates planes in and out of service
• Frequent flyer program is gaining traction, but if a user logs in from two locations at the same time, then the database can lock and get corrupted. They need a way to enforce 1 login per IP
Enterprise Environment – Superion Air
Client Facing• Nginx Web Server• WordPress backed Cloud-enabled Application• MySQL Backend Database
Cloud• VMWare ESX 5.5• Dell 2950 Servers• iSCSI Array
Data Center• Limited Bandwidth
Lab Test Bake Off
Note: Logging provided by DataDog
Vendor Product Version
Imperva SecureSphere 11.0
F5 Networks ASM 11.6
Distil Networks Distil
Appliance
N/A
The Bad Guys
Simple• Python• Perl• Curl
Sophisticated• PhantomJS• Selenium• Automation Anywhere
Volumetric• LoadImpact• Bees With Machine Guns• Vbooter
Lab Test Results
Test Imperva F5 Networks Distil Networks
Perl - LWPPass (10
requests)
Pass (10
requests)
Pass (0
requests)
Perl – WWW Mechanize
Pass (10
requests)
Pass (10
requests)
Pass (0
requests)
CurlPass (20
requests)
Pass (20
requests)
Pass (0
requests)
Commercial Botnet 5 min 5 min 2 min
Lab Test Results
Test F5 Networks Distil Networks
General Load 4 min 20 sec 2 min 20 sec
Brute Force ‘Admin’ Time 1 min 49 sec 6 sec
Automation Anywhere Fail Fail
Flight ScrapingUA: LoadImpact Fail Pass
Flight ScrapingUA: Chrome Fail Fail
PhantomJS Pass (3 requests)
Pass (0 requests)
For Additional Lab Test Results, please visit www.superionair.co
Poll #2 (single select)
What is your biggest concern when it comes to WAF?
• Lack of knowledge about the technology• Lack of formal development process • Time and investment in building the
program• Don’t really see the need or how it fits in
my organization
About Distil Networks
Fortune 500, Leading Banks and the Alexa 10,000
About Distil Networks
Bot Detection is a new Category, Not a Feature
• NOT a Content Delivery Service (CDN) • NOT a Distributed Denial of Service (DDoS) protection solution• NOT a simple IP list or set of scripts• NOT a Web Application Firewall (WAF)
A purpose built bot detection solution is always updating and evolving
About Distil Networks
How Companies Benefit from Distil Networks
The World’s Most Accurate Bot Detection System
Inline FingerprintingFingerprints stick to the bot even if it attempts to reconnect from random IP addresses or hide behind an anonymous proxy. Known Violators DatabaseReal-time updates from the world’s largest Known Violators Database, which is based on the collective intelligence of all Distil-protected sites.
Browser ValidationThe first solution to disallow browser spoofing by validating each incoming request as self-reported, and detects all known browser automation tools.
Behavioral Modeling and Machine Learning Machine-learning algorithms pinpoint behavioral anomalies specific to your site’s unique traffic patterns.
Two Months of Free Service + Traffic Analysis
www.distilnetworks.com/trial/Referral Code: DARKREADING
Offer Ends June 31th
How to Optimize your WAF for Bot Detection and Mitigation
Optimizing Your WAF for Anti-Bot
Know your customers and restrict access• User Agents• GeoLocation Enforcement• Session Limits
Optimizing Your WAF for Anti-Bot
JavaScript Noop• No client support? Drop them• JavaScript validation• Check for fingerprints
Optimizing Your WAF for Anti-Bot
Login Page Enforcement• Monitor for brute force attacks• Monitor for multiple logins from Geos
and Networks (e.g., DSL, Mobile, etc.)• Enforce session revocation
Why Whitelisting is Always Better Than Blacklisting
The Six Dumbest Ideas in Computer Security#2 Enumerating Badness
http://www.ranum.com/security/computer_security/editorials/dumb/
Whitelist vs Blacklist
Counting Bad Things is Much Harder...
Trying to count bad things (Signature Sets) is a constant battle that you will always be one step behind
Counting Bad Things...
Counting Good (Valid) Things is much easier
Enumerating acceptable application traffic is much easier. You have all the information already. You already know what information is valid for your application
Counting Good Things...
Optimize Web Application Security Based on Your Vulnerability Profile
The Right Protection for the Right Threat
Understand What Features You Need
You Can Turn That Off...
8 Web App Security Best Practices
(plus 2 things you should never do!)
8 Best Practices
Top 8 Best Practices
1. Profile your application• URIs• Parameter names and values • Cookie names and values• Uploads• Web services
Top 8 Best Practices
2. Limit your exposure / Reduce attack surface• GeoIP fencing• Client interrogation
Top 8 Best Practices
3. Force your application routes• Understand application workflow• Ensure users follow the workflow• Restrict ‘forceful browsing’ attacks
Top 8 Best Practices
4. SCRUB ALL INPUTS
5. Encrypt all cookies
6. Force SSL whenever possible
7. Monitor login pages for brute force attempts
8. Always enforce protocol specifics
2 Things to Never Do!
NEVER…
1. Rely on wildcards in your policy
2. Rely purely on signature sets in your WAF policy
Questions for John and Rami?
www.distilnetworks.com/trial/Referral Code: DARKREADING
Don’t Forget to Sign up for Distil’s OfferTwo Months Free + Free Traffic Analysis
Offer Ends June 31th
Thank you for attending
• www.darkreading.com/events
• IT Security Vendor Analysis: Casting Akamai, Cloudflare, Imperva, F5 and Distil Networks in Their Starring Roles
http://resources.distilnetworks.com/h/i/84096120-it-security-vendor-analysis-casting-akamai-cloudflare-imperva-f5-and-distil-networks-in-their-starring-roles/185088
• 2015 Bad Bot Landscape Reporthttp://resources.distilnetworks.com/h/i/81324486-2015-bad-bot-landscape-report/185088
• Free Threat Analysis - http://www.distilnetworks.com/trial/use referral code DARKREADING for 2 months free + threat analysis
Please visit our sponsor and any of the resources below: