Contenu connexe Similaire à Protect your applications from DDoS/BOT & Advanced Attacks Similaire à Protect your applications from DDoS/BOT & Advanced Attacks (20) Plus de Amazon Web Services Plus de Amazon Web Services (20) Protect your applications from DDoS/BOT & Advanced Attacks1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Protect your Applications from
DDoS / BOT & Advanced Attacks
AWS x F5
Peter Chan
Solutions Architect
Amazon Web Services
Ryan Lo
Regional Manager
Shape Security Solutions
Engineering
F5 Networks
Clive Chan
Manager
Solutions Engineering
F5 Networks
2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Common External Threats
SQL Injection
Cross-site Scripting (XSS)
OWASP Top 10
Common Vulnerabilities and
Exposures (CVE)
SYN Floods
Reflection/Amplification
Web Request Floods
Crawlers
Content Scrapers
Scanners & Probes
Credential Stuffing
Denial of Service App Vulnerabilities Bots
3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
ü Well Architected Application
ü Traffic monitoring for detection and alerts
ü Operations and Incident response
Cloud native
approach
Mitigation approach
4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
AWS Shield Standard
Protects AWS services
against common DDoS
attacks
AWS WAF
Protects web applications by
allowing you to write custom
rules or choose managed rules
from AWS or the AWS
Marketplace.
AWS Shield Advanced
Resource specific detections,
advanced mitigation, access to
SRT, enhanced visibility and
economic protection
AWS Firewall Manager
Centrally configure and
manage security rules
across accounts and
applications
Protecting the Application Perimeter
5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
ü Available at no additional charge
ü Baselining and anomaly detection across all AWS
ü Mitigation with proprietary packet filtering stacks
using suspicion based scoring
ü Automatic defense against the most common
network and transport layer DDoS attacks for any
AWS resource, in any AWS Region
ü Comprehensive defense against all known network
and transport layer attacks when using Amazon
CloudFront and Amazon Route 53
Built-in Protection With Shield Standard
Automatic Layer
3/4 protection
Recommended
with CloudFront
and Route 53
6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Enhanced
Protection
24x7 access to
DDoS Response
Team (DRT)
CloudWatch Metrics
Attack
Diagnostics
Global threat
environment
dashboard
DDoS
Expertise
Visibility &
Compliance
Economic
Benefits
AWS WAF at no
additional cost
for protected resources
AWS Firewall
Manager
at no additional cost
Cost Protection for
scaling
AWS Shield
Standard & Advanced
Built-in DDoS
Protection for
Everyone
7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
AWS Shield Advanced
8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Benefits of AWS Shield Standard and Shield Advanced
Detection
and
Mitigation
Faster Mitigation,
Customized to
Your Application
24x7 Shield
Response
Team (SRT)
Pre-Configured
Protection
Point and
Protect Wizard
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
Quarterly
Security
Report
AWS WAF at No
Additional Cost
For protected resources
AWS Firewall
Manager at No
Additional Cost
Cost Protection
for Scaling
AWS Shield
Proactive
Engagement
9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Protect Resources with AWS Shield
Amazon CloudFront
AWS Shield
Amazon Route 53
Elastic Load Balancing
AWS Global Accelerator
Elastic IP Address
10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Easy to configure without changing
your application architecture
Comprehensive protection against DDoS
attack vectors
Near-real time event visibility
Protection from economic attack vectors
AWS Shield
Advanced
Managed Threat Protection
11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
24x7 access to Shield Response Team
Before Attack
Proactive consultation and
best practice guidance
During Attack
Attack mitigation
After Attack
Post-mortem
analysis
12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
AWS WAF
13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Advanced automation: API driven architecture
Frictionless set up: No changes required
Low operation overhead: Ready to use rules
Customizable security: Custom rule engine
AWS WAF
Web Application Protection
14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Amazon CloudFront
Application Load Balancer
Amazon API Gateway
AWS WAF
Protect Resources With AWS WAF
15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Option to use a rule building engine or
JSON to create custom rules, and define:
• Type of rule (regular, rate limit)
• Different parts of the request to be
inspected (IP, country, HTTP
attributes..)
• Transformations
• Logical combination of statements
• Action to take (block, allow, count)
• Priority of execution
Rule Groups
16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Set of pre-configured rules that you can
deploy on your application
• Covers common attack vectors and
threats
• Curated and maintained by threat
research team
• Influenced by OWASP Top 10 Web
Application Security Risks
Available to all customers at no extra
charge
AWS Managed Rules
17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
• Rules written, updated, and managed by security experts
• Pay as you go: No lock-in or long-term commitment
• Easy to deploy
• Choice of protections
• OWASP Top 10 & other web exploits
• Common Vulnerabilities and Exposures (CVE)
• Bot protection
• IP reputation lists
• CMS rules (WordPress, Joomla, and others)
• Apache and NGINX vulnerabilities
Marketplace Rules
18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
CloudWatch metrics
• Metrics on every rule
• Allowed | Blocked |
Counted | Passed
Sampled web requests
• Detailed logs of a sample of
requests
• Automatically available for
every rule
Full logs
• Detailed logs of every request
• Optionally enabled for your
web ACL
Use case
Set alarms for
notifications
Use case
Quickly test AWS WAF rules
Easy triaging on the console
Use case
Security analytics, monitoring,
automation, auditing, and
compliance
Visibility options
19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Dashboards for WAF
SumoLogic
20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Basic Bot Mitigation using AWS WAF
Amazon Managed Rules for WAF
• Amazon IP reputation list
• Anonymous Proxy list
Rate Based Rules
• AWS WAF RBRs
Advanced bot protection by AWS partner
• F5 Shape Security
21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
AWS Firewall Manager
22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Ensure compliance to mandatory
rules across organization
Central management of rules across
accounts & applications
Enable rapid response to attacks
across all accounts
AWS Firewall
Manager
Automatically discover new accounts
and remediate non-compliant events
AWS Firewall Manager
23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Governance examples
24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
AWS WAF AWS Shield VPC Security
Groups
AWS
Security Hub
Findings in Security Hub
25. | ©2020 F530
Overview of F5
Managed Security Solutions
Clive Chan
Manager, Solutions Engineering, HK & Macau
26. | ©2020 F531
Average Total Cost
of a Data Breach
Percentage of traffic
that is fake or Bot based
Shortage
of Cybersecurity
Experts
The
Challenges
Number of credentials
stolen or leaked
in 2018
4.07M$3.92M
3
Billion90%
F5 LabsShape Security2019 (ISC)2 Cybersecurity Workforce Study
IBM/Poneman -
2019 Cost of a Data Breach Report
27. | ©2020 F532
Your Options
For customers that have a large poolof
resources and expertise
For customers that have DevOps
environments or have apps that are
constantly changing.
For customers with sufficient
engineering and SOC resources.
For customers that prefer to have their
SOC conduct real-time monitoring and
incident response.
Do It Yourself 3rd Party SecPaaS
For customers able to leverage the
resources to implement, manage and
monitor advanced technical security
services 24x7x365.
For customers looking for multi-cloud
and hybrid (on-premises and cloud)
integrated security.
Managed Security Service
28. | ©2020 F533
F5 Silverline Managed Security Services
100+
Security
Experts
130+
Countries
Serviced
15,000+
Websites
Protected
48
Different
Verticals
9.4/10
Customer
Satisfaction
Proven WAF,API, Fraud and Bot mitigation technology
Protection of network and web/mobile applications
24x7 global SOC
Flexible, reliable, secure and compliant
FOR MODERN AND MULTI-CLOUD BUSINESSES
29. | ©2020 F534
F5 Silverline Managed Services Offerings
Silverline
Shape Defense
Protection against Bots
and sophisticated credential
stuffing and account take over
attacks, carding, and OWASP
Automated Threats
Patented telemetry and signal
collection along with advanced
AI/ML
Silverline Threat
Intelligence
Restrict access to customer’s
networks and infrastructure
for known bad actors (botnets,
scanners, spammers, anonymous
proxies, etc.)
Enable granular threat reporting and
automated blocking
Silverline Web
Application Firewall
Managed provisioning
and service enablement
Expert created WAF policies with
specific customization with
different customer
30. | ©2019 F5 NETWORKS35
F5 Silverline
Managed Services
Global SOC 24x7x365
Continuous Monitoring and Incident
Response
• Seattle, WA, United States
• Warsaw, Poland
• Guadalajara, Mexico
Global Deployment Model
Fully Redundant and Globally Distributed Data
Centers
• San Jose, CA, US
• Ashburn, VA, US
• Columbus, OH, US
• Frankfurt, Germany
• London, UK
• Singapore, SG
• Sydney, AU
| ©2020 F5 NETWORKS35
Active Operations Centers Future Operations CentersSOC Locations
• Hong Kong, HK
• Mumbai, IN
• Montreal, CA
• São Paulo, BR
• Manama, BH
• Tokyo, JP
32. | ©2020 F537 CONFIDENTIAL
F5 Silverline Managed Services Value Proposition
Enables business
transformation
Lowers investment risks
Enables Business
Supports multi-cloud
strategy
No infrastructure to buy
and manage
No capex. No lock-in.
Lower TCO and IT risks
Supports IT
Improved threat
detection and incident
response
Secure access to cloud
and on-premises
applications
Flexible options to ‘right-
size’ the services
Improves Security
Maintains PCI
and HIPAA
Supports customers’
SOX/GDPR/PCI/HIPAA
Reduces time to achieve
and the cost of
managing compliance
Maintains Compliance
33. Protect Your Applications from DDoS &
Advanced Attacks (BOT & Credential
Stuffing)
Ryan Lo
Regional Manager, Solutions Engineering
F5 Shape Security
August 2020
35. Confidential / / Part of F5 4
0
You probably have used Shape before
and using Shape NOW.
We’re the reason you login a lot less and see fewer
CAPTCHAs
?
36. Confidential / / Part of F5 4
1
Ridiculous captchas
2FA by trying to remember your favorite pizza
toppings
Password resets
Currently, the burden of proving known good is on
human users
Lots of repetitive logins
38. Confidential / / Part of F5
Cybercriminals Bypass CAPTCHA Through Solver
Service
Confidential 43
40. Confidential / / Part of F5
CAPTCHA Cannot Stop Bad Actors But Block the
Real Users
Confidential 45
41. Confidential / / Part of F5
Currently, the burden of proving known good is on
human users
Confidential
Nintendo suggests users to secure their Nintendo Account by enabling 2-Step Verification
46
42. Confidential / / Part of F5
Fraud occurs when Criminals act like Legitimate
Users
?
?
?
?
Users
(criminals mixed in with good
users)
Web, Mobile Apps and API
Endpoint
(serve good users & criminals alike)
Criminals
(not evident until it’s too
late)
Organisations must be open to anyone, anywhere, on any device
43. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
44. Confidential / / Part of F5
Retail – Reward Program Aggregators
How do fintechs and rewards program operators differentiate good from bad users?
45. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
46. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
47. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
48. Confidential / / Part of F5
Retail - Inventory Lockout
How many Bots are in front of you?
51. Confidential / / Part of F5
Retail - Sneaker Bots
Shape signals can identify device farms
52. Confidential / / Part of F5
Travel - Inventory Scraping
Scrapers are increasing the airline’s infrastructure costs and affecting the airline’s ability to
manage revenue
53. Confidential / / Part of F5
Travel - Inventory Scraping
How to simulate user behavior through Selenium
Attackers started with developer libraries
like Selenium and Puppeteer before
creating custom tools.
54. Confidential / / Part of F5
Results - A Fortune Global 2000 Customer
April May June
6M
5M
4M
3M
2M
1M
0
HUMAN DETECTED & BLOCKEDDETECTED & FLAGGEDPOSTS TO /LOGIN EVERY THREE HOURS
Mitigation Mode (on attacker fingerprints)
Mitigation Mode (on new fingerprint
Attacker Gives Up
Retool Detected in Stage II (update Stage
I)
Observation Mode (flagging only)
55. Confidential / / Part of F5
Multi-stage detection is paramount
Shape provides multi-stage detection as a service
WEB & MOBILE BROWSER
INTERNET
NATIVE MOBILE APPS
Mobile SDK
CUSTOMER ORIGIN SERVERS
24x7
STAGE IISTAGE I
MACHINE LEARNING
ARTIFICIAL INTELLIGENCE
Good Traffic
Bad Traffic
AWS CloudFront
JS
56. Confidential / / Part of F5
Reducing Friction, Fraud and Fiction
61
Identify and mitigate unwanted traffic
Differentiate good customers from bad customers
Create a friction free user experience and increase revenue
57. Confidential / / Part of F5
Multi-stage detection is paramount
Shape provides multi-stage detection as a service
WEB & MOBILE BROWSER
INTERNET
NATIVE MOBILE APPS
Mobile SDK
CUSTOMER ORIGIN SERVERS
STAGE IISTAGE I
LOAD BALANCER
MACHINE LEARNING
ARTIFICIAL INTELLIGENCE
appliance
Good Traffic
Bad Traffic
COMPANY COUNTRY SECTOR FUNDING ($ MIL.)
58. Confidential / / Part of F5
Multi-stage defense enables long term efficacy
Actual Shape customer’s journey to less than 1% automation
2019
78
%
Automated
<1
%
Automated
2018
59. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Q & A
60. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Thank you
Please give us feedbacks!
61. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Private subnet
Protecting web applications
Amazon CloudFront
Amazon Route 53
AWS WAF
AWS Cloud
Public subnet
ALB
AWS Edge Services Region
AWS WAF
Compute Capacity
Amazon S3
Shield Advanced protected resource
VPC
62. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Public subnet
Protecting latency sensitive applications
AWS Global Accelerator
Amazon Route 53
AWS Cloud
Network Load Balancer
AWS Edge Services
TLS
Region
Private subnet
Compute Capacity
Shield Advanced protected resource
EI
P
VPC
63. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EDGE Services
Costs
Service Cost
WAF
Web ACL $5.00 per month (prorated hourly)
Rule $1.00 per month (prorated hourly)
Request $0.60 per 1 million requests
Firewall Manager
Charges incurred by AWS Firewall Manager are
for the underlying services, such as AWS
Config(additional charges may apply if not
subscribed to Shield Advanced)
Shield Advanced
Subscription Commitment 1 Year*
Monthly Fee per Organization $3,000.00
Data Transfer Out Usage Fees Apply