web security automation: spend less time securing your applications
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dean SamuelsManager, Solutions Architecture
Hong Kong & Taiwan
19th January 2016
Security Automation Using AWS WAF:Spend Less Time Securing Your Applications
What to expect from this session
Introduction to AWS WAF
AWS WAF 101
What to expect from this session
Introduction to AWS WAF
AWS WAF security automation strategies
AWS WAF 101
What to expect from this session
Introduction to AWS WAF
AWS WAF security automation strategies
AWS WAF 101
5 automation strategies
1. Provisioning WAF
2. Deploying WAF
3. Importing rules
4. Automated incident response
5. Learning-based protections
What to expect from this session
AWS WAF security automation strategies
AWS WAF 101
Demo and getting started
Introduction to AWS WAF
What is AWS WAF
AWS WAF 101
What is AWS WAF
Why AWS WAF?
Application vulnerabilities
Good users
Bad guys
Web server Database
Exploit code AWS
WAF
Why AWS WAF?
Content abuse: Bots and scrapers
Good users
Bad guys
Web server Database
AWSWAF
Why AWS WAF?
Application DDOS
Good users
Bad guys
Web serverDatabase
AWSWAF
AWS WAF: Rules in action
Monitor security events
AWS WAF: Integrated with AWS
Amazon CloudFrontGlobal content delivery network to accelerate
websites, API, video content, and other web assets
AWS WAF: Integrated with AWS
Amazon CloudFront Application Load BalancerLoad balancer with advanced request routing, and support for microservices and container-based
applications
Global content delivery network to accelerate websites, API, video content, and other web assets
Announcing today..
What to expect from this session
Introduction to AWS WAF
AWS WAF security automation strategies
AWS WAF 101
Demo and getting started
Why security automation
Spend less time securing your applications Instead, focus on building applications
We built a WAF that has…
Customizable and flexible rules
APIs: Integration with DevOps
…allowing several WAF automation strategies
Quick rule update
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident response
Learning-based protections
… to spend less time securing applications
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident response
Learning-based protections
Provisioning AWS WAF
Step 1 – Create web ACL
Provisioning AWS WAF
Rule 1: Whitelist [ALLOW]
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection [BLOCK]
Step 1 – Create web ACL
Step 2 – Add rule
Provisioning AWS WAF
IP whitelist
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklistRule 2: Blacklist [BLOCK]
Rule 3: Common protection [BLOCK]
Step 1 – Create web ACL
Step 2 – Add rule Step 3: Add condition
Provisioning AWS WAF
IP Whitelist
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP BlacklistRule 2: Blacklist [BLOCK]
Rule 3: Common protection [BLOCK]
Step 1 – Create web ACL
Step 2 – Add rule Step 3: Add conditionStep 4:
Associate
Amazon CloudFront
ALB
Provisioning AWS WAF: Reuse
Spend less time by reusing WAF rules
Provisioning AWS WAF: Reuse
IP whitelist internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1(dev env)
Rule 4: Common protection #2 [BLOCK]XSS match
Web ACL #2ALB 2(prod env)
Spend less time by reusing WAF rules
Provisioning AWS WAF: Reuse
IP whitelist internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1(dev env)
Rule 4: Common protection #2 [BLOCK]XSS match
Web ACL #2ALB 2(prod env)
Spend less time by reusing WAF rules
ALB 3(new app)
Provisioning AWS WAF
Quickly fix vulnerabilities
Example: {CVE-2016-538}• Server-side web applications that utilize the HTTP_Proxy header as an environment
variable• Attacker could intercept connections between a client and server.
Quick solution: Use AWS WAF to configure a rule to detect and block web requests that contain a proxy header.
Provisioning AWS WAF
IP whitelist internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1(dev env)
Rule 4: Common protection #2 [BLOCK]XSS match
Web ACL #2ALB 2(prod env)
Spend less time by reusing WAF rules
ALB 3(new app)
Provisioning AWS WAF
IP whitelist internal IP
SQL injection
URL match
Rule 1: Whitelist [ALLOW]
IP blacklist known bad
Rule 2: Blacklist [BLOCK]
Rule 3: Common protection #1 [BLOCK]
Web ACL #1
ALB 1(dev env)
Rule 4: Common protection #2 [BLOCK]XSS match
Web ACL #2ALB 2(prod env)
Spend less time by reusing WAF rules
ALB 3(new app)
Rule 5: CVE-2016-538 [BLOCK] Header match
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident response
Learning-based protections
Configuring AWS WAF rules
Preconfigured AWS CloudFormation templates for common protection
CloudFormation template
AWS WAF Configuration
Configuring AWS WAF: Common protection
Enable common protections
SQL injection
Cross-site scripting
Preconfigured protections: Customer example
Need quick setup and common protections like SQLi, XSS
“Overall, the entire stack so far has been extremely helpful. I truly would say that this stack should almost be a standard built-in for anyone looking to use WAF as I
cannot begin to tell you how useful and truly effective it is.”
Award winning Health & Beauty eTailer
Configuring AWS WAF: Common protection
Demo
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident response
Learning-based protections
Importing AWS WAF rules
Import open source IP reputation lists
Importing AWS WAF rules
Open source IP reputation lists
Importing AWS WAF rules
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Automated incident response
Learning-based protections
Why security automation
Traditional incident response
Good users
Bad guys
Server
AWS WAF
Logs
Threatanalysis
Notification
Security engineer
Why security automation
Automated incident response
Good users
Bad guys
Server
AWS WAF
Logs
Threatanalysis
Rule updater
Notification
Security engineer
Security automation: Use cases
HTTP floods Scans and probes
Attackers
Use cases that static rules cannot protect effectively
Automated incident response: Customer example
MapBox uses WAF to protect from bots
Good users
Bad guys
Server
AWS WAF
Logs
Threatanalysis
Rule updater
AWS WAF security automation strategies
Provisioning WAF Configuring rules Importing rules Security Automation Learning-based protections
What is machine learning
Machine learning is the technology that automatically finds patterns in your data and uses them to make predictions for new data points as they become available
Your data + machine learning = smart applications
Amazon Machine Learning
Easy-to-use, managed machine learning service built for developers
Robust, powerful machine learning technology based on Amazon’s internal systems
Create models using your data already stored in the AWS Cloud
Deploy models to production in seconds
AWS WAF with Amazon Machine Learning
A PoC on learning-based WAF
AWS WAF with Amazon Machine Learning
The problem: Detect requests from domain generation algorithms
Solution: Use referrer header to detect bad domains visiting my website based on machine learning
AWS WAF with Amazon Machine Learning
1. Data preparation – Feature engineering
2. Train model based on known good and bad domains
3. Evaluate using real data
AWS WAF with Amazon Machine Learning
1. Data preparation – Feature engineering
AWS WAF with Amazon Machine Learning
2. Train model based on known good and bad domains
Good domains: Alexa 10,000
Bad domains: Known phishing domains
AWS WAF with Amazon Machine Learning
3. Evaluate using real data
Use raw logs from CloudFront logs
#Version: 1.0 #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200 www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304 www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1
AWS WAF with Amazon Machine Learning
AWS WAF with Amazon Machine Learning
Demo
AWS WAF with Amazon Machine Learning
Category Result
Accuracy 98%
Recall true positive rate 78%
False positive rate 1%
True negative rate 99%
How good is our machine learning model
Summary
Spend less time securing your applications Instead, focus on building applications
Provisioning WAF
Reuse rules
Configuring rules
Configure common protections in minutes using CloudFormation
templates
Importing rules
Automated reputation list from external
sources
Automated incident response
Advanced application-specific
firewall rules
Learning-based protections
Smart adaptive protections using
Amazon ML
Remember to complete your evaluations!
Thank you!
Get started with AWS WAF: https://console.aws.amazon.com/waf