template download instructions...•applications are turning into microservices and evolving rapidly...
TRANSCRIPT
ApplicationProtection(Customized for Thailand)
Natthapon Thepchalerm (Por)Product Manager - Exclusive Networks
On-Prem Hybrid Cloud
DATA APIs
APPs
Outside theOrganization
ExternalPartners
Customers
Contractors
Bad bots
Hackers
Inside theOrganization
Trusted
InternalPartners
Malicious
Careless
Compromised
App & Data Security
WAF (Cloud and On-
Prem)
RASP
CDN & LB
DDoS
Bot Protection
API Security
App & Data Security
WAF On-Prem
RASP
DAM/DBF
*API Security
Machine Learning & Analytics
Machine Learning& Analytics
SIEM
*Internal API Security is planned for 2020
Broad Security Defense In Depth Architecture
2
TOPICS
> Situation (8)
Challenge
Technology
Use Case
Q & A
3 Proprietary and confidential. Do not distribute.
Application Security
Lift & Shift• Enabling the move from
existing methodology and topology
• On-premises VMs move to AWS EC2 or Azure VMs
• IaaS
“Hybrid” Cloud Services• Supporting clients as they seek
agility & operational efficiencies• PaaS• RDS, Azure SQL• APIs, containers, micro services• Embracing DevOps
Cloud-native• Offering developer-focused
functionality• Automation-first• Self-service, low touch
We All Are Going to Cloud
44
Situation At-A-Glance
1%
of organizations report
that they will not be
adopting cloud over
the next two years.
- eWEEK
13%
The mean number of
applications in use
today at an organization is
expected to increase over
13% the next two years.
- DATALINK
Situation At-A-Glance
18%
The number of
cyber attacks across the world
increased by 18% year
on year.
- SONICWALL
#1 Challenge
Keeping up with the volume
of security alerts.
- ESG Research
Most of your software isn’t yours
Operating Systems
Containers
Virtual Machines
Application Runtimes
Application Servers
Databases
Open Source Components
Software is complex
Methods Waterfall Agile DevOps
Architecture Monolithic Tiers Microservices
Servers Physical Virtual Containers
Infrastructure Datacenter Hosted Cloud
Software is getting more complex
Year after year, we make the same mistakes
OWASP Top 10 2010 OWASP Top 10 2013 OWASP Top 10 2017
Injection
Cross-Site Scripting (XSS)
Broken Auth & Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
Injection
Broken Auth & Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
Injection
Broken Auth
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
Remained in Top 10
New Entrant
A10-Underprotected APIs
11 Proprietary and confidential. Do not distribute.
Application Security: The Risk Compromise
TOPICS
Situation
> Challenge (6)
Technology
Use Case
Q & A
12 Proprietary and confidential. Do not distribute.
Application Security
Today Questions & Requirements
13 Proprietary and confidential. Do not distribute.
AWS / Azure / GCP
Co-location / ISP
Own Data Center
Local / Global / China
LocationTypeVisitor
Internal / External
Human / Robot
UI / API
New / Old Service
Traditional / DevOp
Linear / Spike
Staff
Depth / Utilities
Resource
Today Questions & Requirements
14 Proprietary and confidential. Do not distribute.
AWS / Azure / GCP
Co-location / ISP
Own Data Center
Local / Global / China
LocationTypeVisitor
Internal / External
Human / Robot
UI / API
New / Old Service
Traditional / DevOp
Linear / Spike
Staff
Depth / Utilities
Resource
Want to freeing up time and resources
Common issue:
15 Proprietary and confidential. Do not distribute.
> Challenges
• Traditional security a bottleneck.
• Limited staff to monitor and tuning.
• Huge volume of events.
Want a faster, stability and secure
Common issue:
16 Proprietary and confidential. Do not distribute.
> Challenges
• Maintain SLA and resilience in response.
• Too many processes, products, high-cost.
• New versions of applications.
Want to deploying across environments
Common issue:
17 Proprietary and confidential. Do not distribute.
> Challenges
• Inside virtual servers, containers, microservices and API.
• Multi-location on-prem and cloud.
• Traditional license leads to performance limitation.
Microservices
18 Proprietary and confidential. Do not distribute.https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/microservices
Attack here.
Impact of Changing
Proprietary and confidential. Do not distribute.19
54%
of security alerts
are ignored1
21%
of cloud budgets
are spent on
hybrid technologies2
1/3of website visitors
are bad bots3
58%
of organizations
that use one cloud
provider plan to
expand to multiple
cloud platforms4
70%
of CISOs’ #1
concern in 2018:
Lack of competent
in-house staff5
Free up Time and Resources
Secure CriticalApplications
Act on Critical Insights
Manage Multiple Environments
Have SecurityConfidence
1. Security Operations Challenges, Priorities, and Strategies, ESG, 2017
2. Hybrid Cloud: Where the Mountains Touch the Clouds, Citi Research, 2018
3. Imperva Bot Traffic Report, 2017
4. Why It's a Mistake to Rely on Cloud Providers for All Data Protection, 2017
5. What CiSOs Worry About in 2018, Ponemon Institute, January 2018
TOPICS
Situation
Challenge
> Technology (10)
Use Case
Q & A
20 Proprietary and confidential. Do not distribute.
Application Security
Key Consider
Cloud First
On-prem still required
Quick
Automation
Ai + Machine Learning
Response
Micro-protection
Low-touch
Confident
3 years outlook
Vision and TCO
Investment
21 Proprietary and confidential. Do not distribute.
On-Prem Hybrid Cloud
DATA APIs
APPs
Outside theOrganization
ExternalPartners
Customers
Contractors
Bad bots
Hackers
Inside theOrganization
Trusted
InternalPartners
Malicious
Careless
Compromised
App & Data Security
WAF (Cloud and On-
Prem)
RASP
CDN & LB
DDoS
Bot Protection
API Security
App & Data Security
WAF On-Prem
RASP
DAM/DBF
*API Security
Machine Learning & Analytics
Machine Learning& Analytics
SIEM
*Internal API Security is planned for 2020
Broad Security Defense In Depth Architecture
22
Wide to Depth Architecture
App Security + Delivery
Cloud based WAF, DDoS, Bot Mitigation, CDN, Load
Balancer, Analytics.
EDGE
On Premise WAF
Industry leading WAF.
NETWORK
Built-in Security
RASP + API SECURITY
Securing run time app protection and East/West traffic.
APPs / APIs
Data Security
and Compliance
Relational DB, Big Data, Mainframe, Insider Threat, GDPR, SOX, PCI
DATA
23
24
Imperva Vision for Application Security
Where What How
Context-Aware, Centrally-Managed, API First
WAF, RASP, APIs, Anti-Bot
DDoS & Secure CDN
Actionable Insights
Leading Research Team
AI Layer with Actionable Insights
Network of Nano Security Sensorsby Imperva and 3rd party
As a Service,at the Edge
In the App
On-Premises
Imperva’s 3-Year Outlook
Connecting Apps with Data and User Behavior
Hybrid-WAF & DDoS Bot Management API Security Attack Analytics RASP
• Near rule parity between cloud and on-prem
• New proxy engine on-prem with support
of advanced ciphers
• Industry best 3-sec DDoS SLA supported by fully automated SDN
• Intent-focused
detection
• Simulation to support
fact-based policy
tuning
• Risk-based mitigation
approach
• Positive sec model
created/updated
automatically from
Swagger spec
• Security added into
CI/CD process
• Infrastructure as code
• API Gateway vendor
partnerships
• Dashboard for high
level summary of
attacks
• Analyze API-related
attacks
• Community
referenced attacks
• Secure apps in any
environment, by
default
• Known vulnerability
mitigation and
zero-day protection
• Visibility into real
attack risk
New Since 2018
25
The Best WAF, DDoS, BOT and RASPA
bili
ty to
Execute
Completeness of
Vision
1st Bot Management – Distil Networks (Acquired by Imperva)
27 Proprietary and confidential. Do not distribute.
Ranked by Forrester Q3/2018
Runtime Universal User Tracking (RUUT)
28 Proprietary and confidential. Do not distribute.
Connecting the Edge, Application, and Database
• Enhances audit and security, connecting application users and database queries
• User identification and classification is provided throughout the stack
• Organizations can enforce a positive data security model from the edge and application
Edge Applications
Insights Databases
RUUT Data Flow
29 Proprietary and confidential. Do not distribute.
Unleashing Visibility
Edge Application Data Insights
Human using device k5x1g9m34orunning MobileAppfrom 43.23.1.4which is a Tor exit node…
…logged in with user Cornelius ran ‘SELECT * from
customers_data’ and which returned 10m
records…
…Cornelius has never accessed this before, other users
normally access 100 records
…that are sensitive
business data and are PCI-regulated…
HTTP Headers SQL Queries Logs
RUUT Data Flow
30 Proprietary and confidential. Do not distribute.
True Defense in Depth
…Block device k5x1g9m34o
Require 2FA for SomeMobileAppthrough any Tor
exit node
…Block/require 2FA from Cornelius and return an error
message…
Critical alertthat Cornelius is probably compromised…
…Block Corneliusfrom accessing any sensitive information on any database
through any app…
Edge Application Data Insights
HTTP Headers SQL Queries Logs
TOPICS
Situation
Challenge
Technology
> Use Case (5)
Q & A
31 Proprietary and confidential. Do not distribute.
Application Security
Use Case 1
Thai website - Immediately Save Cost and Expanding Business.
AWS CloudFront data transfer rate/cost is very high compare to visitor number.
No promotion but spike.
Have promotion went down.
Auto scaling group is not allowed due to uncontrollable cost.
Complaint on social media.
Put a cloud web security in front of AWS.
20% from Thailand.
80% is bot.
Under DDoS attack.
Attack to /api/v2/query-page/
80% catchable by CDN.
Automate response if something wrong.
Via single real-time dashboard.
32 Proprietary and confidential. Do not distribute.
Use Case 1
Captured on 17 June 2019
33 Proprietary and confidential. Do not distribute.
Use Case 1
Screenshot
34 Proprietary and confidential. Do not distribute.
Use Case 2
Thai website - Finally Turn to Hybrid WAF, DDoS Protection, CDN, LB and GSLB.
Existing Imperva WAF boxes.
Migrate to cloud in 2019.
Want website faster.
Multi-active sites on AWS and Two On-prem.
Reduce junk traffic at the EDGE.
WoW to have a DDoS Protection as well.
Be able to scale quickly as add-on.
My last slide.
35 Proprietary and confidential. Do not distribute.
Imperva is providing application and data security anywhere, better performance and high availability at any scale.
36 Proprietary and confidential. Do not distribute.
TOPICS
Situation
Challenge
Technology
Use Case
> Q & A
37 Proprietary and confidential. Do not distribute.
Application Security
Thank You> Your Turn
38 Proprietary and confidential. Do not distribute.
RASP
39 Proprietary and confidential. Do not distribute.
What if our apps could be protected?
Without an army of secure coding experts,
Without requiring code changes,
Without complex setup,
Without ignoring the 90% of the code you didn’t write
Runtime Security Architecture: What is an Autonomous Deployment?
Configs
Application & Logging
Application
Install Runtime Agent
Log Files
Forward Log Files
SIEM
Dashboard / Reports
Why use RASP?
• Secure Code Embedded Automatically
• More time to fix bugs
• Fewer worries about legacy code
• Zero-day protection for 3rd Party code
• Visibility into attacks
• Faster into production
• Reduced vulnerability score
• Automatic exception approval
What’s in it for me?
Runtime Application Self Protect
• No external dependencies or network connectivity
• Patented, grammar-based, LANGSEC technology
(no signatures)
• Detects and prevents attacks in real-time
minimal CPU and memory overhead
• Easy to deploy
plugin is part of the app
scales via DevOps automation
Advantages
Goes anywhere, works everywhere
• Active Applications
• Legacy Applications
• 3rd Party Applications
• Web Services
• Cloud Applications
• On-Prem Applications
• Containers
• Virtual Environments
The World is Changing...
• Software is decentralizing (networks, apps, data) with customers moving to private/public clouds
• Applications are turning into microservices and evolving rapidly (DevOps & serverless)
• The way we store and manage data is evolving(managed and specialized)
45 Proprietary and confidential. Do not distribute.