template download instructions...•applications are turning into microservices and evolving rapidly...

ApplicationProtection(Customized for Thailand)

Natthapon Thepchalerm (Por)Product Manager - Exclusive Networks

On-Prem Hybrid Cloud

DATA APIs

APPs

Outside theOrganization

ExternalPartners

Customers

Contractors

Bad bots

Hackers

Inside theOrganization

Trusted

InternalPartners

Malicious

Careless

Compromised

App & Data Security

WAF (Cloud and On-

Prem)

RASP

CDN & LB

DDoS

Bot Protection

API Security

App & Data Security

WAF On-Prem

RASP

DAM/DBF

*API Security

Machine Learning & Analytics

Machine Learning& Analytics

SIEM

*Internal API Security is planned for 2020

Broad Security Defense In Depth Architecture

2

TOPICS

> Situation (8)

Challenge

Technology

Use Case

Q & A

3 Proprietary and confidential. Do not distribute.

Application Security

Lift & Shift• Enabling the move from

existing methodology and topology

• On-premises VMs move to AWS EC2 or Azure VMs

• IaaS

“Hybrid” Cloud Services• Supporting clients as they seek

agility & operational efficiencies• PaaS• RDS, Azure SQL• APIs, containers, micro services• Embracing DevOps

Cloud-native• Offering developer-focused

functionality• Automation-first• Self-service, low touch

We All Are Going to Cloud

44

Situation At-A-Glance

1%

of organizations report

that they will not be

adopting cloud over

the next two years.

- eWEEK

13%

The mean number of

applications in use

today at an organization is

expected to increase over

13% the next two years.

- DATALINK

Situation At-A-Glance

18%

The number of

cyber attacks across the world

increased by 18% year

on year.

- SONICWALL

#1 Challenge

Keeping up with the volume

of security alerts.

- ESG Research

Most of your software isn’t yours

Operating Systems

Containers

Virtual Machines

Application Runtimes

Application Servers

Databases

Open Source Components

Software is complex

Methods Waterfall Agile DevOps

Architecture Monolithic Tiers Microservices

Servers Physical Virtual Containers

Infrastructure Datacenter Hosted Cloud

Software is getting more complex

Year after year, we make the same mistakes

OWASP Top 10 2010 OWASP Top 10 2013 OWASP Top 10 2017

Injection

Cross-Site Scripting (XSS)

Broken Auth & Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

Injection

Broken Auth & Session Management


Insecure Direct Object References


Sensitive Data Exposure

Missing Function Level Access Control

Cross-Site Request Forgery (CSRF)

Using Components with Known Vulnerabilities

Unvalidated Redirects and Forwards

Injection

Broken Auth

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control



Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

A1

A2

A3

A4

A5

A6

A7

A8

A9

A10

A1

A2

A3

A4

A5

A6

A7

A8

A9

A10

A1

A2

A3

A4

A5

A6

A7

A8

A9

A10

Remained in Top 10

New Entrant

A10-Underprotected APIs

https://www.owasp.org/index.php/Top_10_2010-A1










https://www.owasp.org/index.php/Top_10_2013-A1-Injection

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

https://www.owasp.org/index.php/Top_10-2017_A1-Injection

https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication

https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure

https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)

https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control

https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration

https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)

https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization

https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities

https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging&Monitoring


Application Security: The Risk Compromise

TOPICS

Situation

> Challenge (6)

Technology

Use Case

Q & A



Today Questions & Requirements


AWS / Azure / GCP

Co-location / ISP

Own Data Center

Local / Global / China

LocationTypeVisitor

Internal / External

Human / Robot

UI / API

New / Old Service

Traditional / DevOp

Linear / Spike

Staff

Depth / Utilities

Resource

Want to freeing up time and resources

Common issue:


> Challenges

• Traditional security a bottleneck.

• Limited staff to monitor and tuning.

• Huge volume of events.

Want a faster, stability and secure

Common issue:


> Challenges

• Maintain SLA and resilience in response.

• Too many processes, products, high-cost.

• New versions of applications.

Want to deploying across environments

Common issue:


> Challenges

• Inside virtual servers, containers, microservices and API.

• Multi-location on-prem and cloud.

• Traditional license leads to performance limitation.

Microservices

18 Proprietary and confidential. Do not distribute.https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/microservices

Attack here.

https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/microservices

Impact of Changing

Proprietary and confidential. Do not distribute.19

54%

of security alerts

are ignored1

21%

of cloud budgets

are spent on

hybrid technologies2

1/3of website visitors

are bad bots3

58%

of organizations

that use one cloud

provider plan to

expand to multiple

cloud platforms4

70%

of CISOs’ #1

concern in 2018:

Lack of competent

in-house staff5

Free up Time and Resources

Secure CriticalApplications

Act on Critical Insights

Manage Multiple Environments

Have SecurityConfidence

1. Security Operations Challenges, Priorities, and Strategies, ESG, 2017

2. Hybrid Cloud: Where the Mountains Touch the Clouds, Citi Research, 2018

3. Imperva Bot Traffic Report, 2017

4. Why It's a Mistake to Rely on Cloud Providers for All Data Protection, 2017

5. What CiSOs Worry About in 2018, Ponemon Institute, January 2018

TOPICS

Situation

Challenge

> Technology (10)

Use Case

Q & A



Key Consider

Cloud First

On-prem still required

Quick

Automation

Ai + Machine Learning

Response

Micro-protection

Low-touch

Confident

3 years outlook

Vision and TCO

Investment


On-Prem Hybrid Cloud

DATA APIs

APPs

Outside theOrganization

ExternalPartners

Customers

Contractors

Bad bots

Hackers

Inside theOrganization

Trusted

InternalPartners

Malicious

Careless

Compromised

App & Data Security

WAF (Cloud and On-

Prem)

RASP

CDN & LB

DDoS

Bot Protection

API Security

App & Data Security

WAF On-Prem

RASP

DAM/DBF

*API Security

Machine Learning & Analytics

Machine Learning& Analytics

SIEM

*Internal API Security is planned for 2020

Broad Security Defense In Depth Architecture

22

Wide to Depth Architecture

App Security + Delivery

Cloud based WAF, DDoS, Bot Mitigation, CDN, Load

Balancer, Analytics.

EDGE

On Premise WAF

Industry leading WAF.

NETWORK

Built-in Security

RASP + API SECURITY

Securing run time app protection and East/West traffic.

APPs / APIs

Data Security

and Compliance

Relational DB, Big Data, Mainframe, Insider Threat, GDPR, SOX, PCI

DATA

23

24

Imperva Vision for Application Security

Where What How

Context-Aware, Centrally-Managed, API First

WAF, RASP, APIs, Anti-Bot

DDoS & Secure CDN

Actionable Insights

Leading Research Team

AI Layer with Actionable Insights

Network of Nano Security Sensorsby Imperva and 3rd party

As a Service,at the Edge

In the App

On-Premises

Imperva’s 3-Year Outlook

Connecting Apps with Data and User Behavior

Hybrid-WAF & DDoS Bot Management API Security Attack Analytics RASP

• Near rule parity between cloud and on-prem

• New proxy engine on-prem with support

of advanced ciphers

• Industry best 3-sec DDoS SLA supported by fully automated SDN

• Intent-focused

detection

• Simulation to support

fact-based policy

tuning

• Risk-based mitigation

approach

• Positive sec model

created/updated

automatically from

Swagger spec

• Security added into

CI/CD process

• Infrastructure as code

• API Gateway vendor

partnerships

• Dashboard for high

level summary of

attacks

• Analyze API-related

attacks

• Community

referenced attacks

• Secure apps in any

environment, by

default

• Known vulnerability

mitigation and

zero-day protection

• Visibility into real

attack risk

New Since 2018

25

The Best WAF, DDoS, BOT and RASPA

bili

ty to

Execute

Completeness of

Vision

1st Bot Management – Distil Networks (Acquired by Imperva)


Ranked by Forrester Q3/2018

Runtime Universal User Tracking (RUUT)


Connecting the Edge, Application, and Database

• Enhances audit and security, connecting application users and database queries

• User identification and classification is provided throughout the stack

• Organizations can enforce a positive data security model from the edge and application

Edge Applications

Insights Databases

RUUT Data Flow


Unleashing Visibility

Edge Application Data Insights

Human using device k5x1g9m34orunning MobileAppfrom 43.23.1.4which is a Tor exit node…

…logged in with user Cornelius ran ‘SELECT * from

customers_data’ and which returned 10m

records…

…Cornelius has never accessed this before, other users

normally access 100 records

…that are sensitive

business data and are PCI-regulated…

HTTP Headers SQL Queries Logs

RUUT Data Flow


True Defense in Depth

…Block device k5x1g9m34o

Require 2FA for SomeMobileAppthrough any Tor

exit node

…Block/require 2FA from Cornelius and return an error

message…

Critical alertthat Cornelius is probably compromised…

…Block Corneliusfrom accessing any sensitive information on any database

through any app…

Edge Application Data Insights

HTTP Headers SQL Queries Logs

TOPICS

Situation

Challenge

Technology

> Use Case (5)

Q & A



Use Case 1

Thai website - Immediately Save Cost and Expanding Business.

AWS CloudFront data transfer rate/cost is very high compare to visitor number.

No promotion but spike.

Have promotion went down.

Auto scaling group is not allowed due to uncontrollable cost.

Complaint on social media.

Put a cloud web security in front of AWS.

20% from Thailand.

80% is bot.

Under DDoS attack.

Attack to /api/v2/query-page/

80% catchable by CDN.

Automate response if something wrong.

Via single real-time dashboard.


Use Case 1

Captured on 17 June 2019


Use Case 1

Screenshot


Use Case 2

Thai website - Finally Turn to Hybrid WAF, DDoS Protection, CDN, LB and GSLB.

Existing Imperva WAF boxes.

Migrate to cloud in 2019.

Want website faster.

Multi-active sites on AWS and Two On-prem.

Reduce junk traffic at the EDGE.

WoW to have a DDoS Protection as well.

Be able to scale quickly as add-on.

My last slide.


Imperva is providing application and data security anywhere, better performance and high availability at any scale.


TOPICS

Situation

Challenge

Technology

Use Case

> Q & A



Thank You> Your Turn


RASP


What if our apps could be protected?

Without an army of secure coding experts,

Without requiring code changes,

Without complex setup,

Without ignoring the 90% of the code you didn’t write

Runtime Security Architecture: What is an Autonomous Deployment?

Configs

Application & Logging

Application

Install Runtime Agent

Log Files

Forward Log Files

SIEM

Dashboard / Reports

Why use RASP?

• Secure Code Embedded Automatically

• More time to fix bugs

• Fewer worries about legacy code

• Zero-day protection for 3rd Party code

• Visibility into attacks

• Faster into production

• Reduced vulnerability score

• Automatic exception approval

What’s in it for me?

Runtime Application Self Protect

• No external dependencies or network connectivity

• Patented, grammar-based, LANGSEC technology

(no signatures)

• Detects and prevents attacks in real-time

minimal CPU and memory overhead

• Easy to deploy

plugin is part of the app

scales via DevOps automation

Advantages

Goes anywhere, works everywhere

• Active Applications

• Legacy Applications

• 3rd Party Applications

• Web Services

• Cloud Applications

• On-Prem Applications

• Containers

• Virtual Environments

The World is Changing...

• Software is decentralizing (networks, apps, data) with customers moving to private/public clouds

• Applications are turning into microservices and evolving rapidly (DevOps & serverless)

• The way we store and manage data is evolving(managed and specialized)


template download instructions...•applications are turning into microservices and evolving rapidly...

Documents