Why Network and Endpoint Security Isn’t Enough
•Télécharger en tant que PPTX, PDF•
6 j'aime•2,111 vues
The rise in high-profile breaches demonstrates that traditional security defenses are no longer enough. Endpoint and network security cannot defend against sophisticated attacks or compromised insiders. View this presentation and learn: - Why traditional security measures fail to stop web attacks and data breaches - How modernized best practices safeguard against web application attacks - What strategies enable scalable data protection and simplified audits
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (15)
Similaire à Why Network and Endpoint Security Isn’t Enough
Similaire à Why Network and Endpoint Security Isn’t Enough (20)
Plus de Imperva
Plus de Imperva (18)
Dernier
Dernier (20)
Why Network and Endpoint Security Isn’t Enough
- 1. © 2015 Imperva, Inc. All rights reserved. Why Network and Endpoint Security Isn’t Enough Cheryl O’Neill, Dir. Product Marketing, Data Security Narayan Makaram, Dir. Product Marketing, Application Security October 22, 2015
- 2. © 2015 Imperva, Inc. All rights reserved. Speakers 2 Cheryl O’Neill Director, Product Marketing, Database Security, Imperva Narayan Makaram Director, Product Marketing, Application Security, Imperva
- 3. © 2015 Imperva, Inc. All rights reserved. Agenda • Why traditional network/endpoint security measures are not enough • Best practices for Web Application Protection • Strategies for scalable and proactive Data Protection • Other tips for improving security posture 3
- 4. © 2015 Imperva, Inc. All rights reserved. Perimeter Is Not Enough Current Challenges 1 4
- 5. © 2015 Imperva, Inc. All rights reserved. Risks Are Moving Up The Stack 5 RISKS Physical Networks Endpoints Data Applications Users Single Geo-location Multiple Geo-locations Single Company Multiple Suppliers/Partners Desktops/Laptops Mobile BYOD Data Center Private/Hybrid Cloud Intranet Apps Internet Apps, SaaS Trusted Users Untrusted Users/Hackers
- 6. © 2015 Imperva, Inc. All rights reserved. www.xyz.com www.xyz.com dataapps Users, Applications, and Data Risks 6 Business Security: -Who can access data? -How are apps protected? -Are we compliant? NG FW, IPS, IDS Technical Attacks Logic Attacks Account Takeover Fraud Usage User Rights Unauthorized Access • E-Commerce • E-Banking • E-Health • Financial data • Creditcard data • PII Users Careless employees Malicious insiders Compromised users INTERNAL Customers Partners Employers Hackers EXTERNAL
- 7. © 2015 Imperva, Inc. All rights reserved. Web Application Security Best Practices 2 7
- 8. © 2015 Imperva, Inc. All rights reserved.8 Adobe 36,000,000 Target 70,000,000 EBAY 145,000,000 Anthem 80,000,000 Home Depot 56,000,000 JPMC 76,000,000 US OPM 21,000,000 201520142013 Evernote 50,000,000 Primera 11,000,000 Ashley Madison 39,000,000 Majority of Security Breaches Caused by Web App Attacks • 75% of cyber-attacks target web applications1 • 79 average number of serious vulnerabilities / website2 • 1 in 5 vulnerabilities allowed access to sensitive data3 $ 5.85M in 2014 average cost of a data breach in US alone, up from $5.4M in 20134 1. Gartner Research 2. WhiteHat Website Security Statistics Report, 12th Edition 3. 2015 Internet Security Threat Report 4. 2014 Ponemon Cost of Breach Report
- 9. © 2015 Imperva, Inc. All rights reserved. TR Preventing Web Application Attacks NG Firewall IPS/IDS 9 Web Servers web app attacks - Technical attacks OWASP Top 10 - bad IPs, bad bots, DDoS attacks account takeover fraudulent transactions network access control user/app access control non web app attacks intrusion prevention Imperva ThreatRadar • Reputation Service • Bot & DDoS Protection • Account Takeover Protection • Fraud Prevention Service Threat Intelligence Services Web App Firewall Imperva legitimate traffic
- 10. © 2015 Imperva, Inc. All rights reserved. Defenses Required to Protect Web Applications 10 CorrelatedAttackValidation VirtualPatching DDoSProtection Dynamic Profiling Attack Signatures Protocol Validation Cookie Protection Fraud Connectors IP Geolocation IP Reputation Anti-Scraping Policies Bot Mitigation Policies Account Takeover Protection Technical Vulnerabilities Business Logic Attacks and more
- 11. © 2015 Imperva, Inc. All rights reserved. Next Generation Firewalls & IPS – Easy to Evade 11 CorrelatedAttackValidation VirtualPatching DDoSProtection Dynamic Profiling Attack Signatures Protocol Validation Cookie Protection Fraud Connectors IP Geolocation IP Reputation Anti-Scraping Policies Bot Mitigation Policies Account Takeover Protection Technical Vulnerabilities Business Logic Attacks
- 12. © 2015 Imperva, Inc. All rights reserved. Correlation Improves Efficiency and Productivity 12 Removes Unwanted Traffic Reduces Threats Increases Accuracy Improves SOC Efficiency Improves User Protection SecureSphere WAF Correlation EngineProtocolValidation AttackSignatures ApplicationProfiling TRBotProtection* TRATOProtection* TRReputationService* * ThreatRadar (TR) threat intelligence feeds
- 13. © 2015 Imperva, Inc. All rights reserved. WAF Deployment Scenarios Confidential13 On-Premises WAF WAF Web Servers WAF for AWS WAF Web Servers Web Servers Cloud WAF
- 14. © 2015 Imperva, Inc. All rights reserved. Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. THE ONLY LEADER TWO CONSECUTIVE YEARS Gartner Magic Quadrant for Web Application Firewalls
- 15. © 2015 Imperva, Inc. All rights reserved. Data Protection Strategies Data Protection Strategies 3 15
- 16. © 2015 Imperva, Inc. All rights reserved. Database auditing and protection is a complex subject 16
- 17. © 2015 Imperva, Inc. All rights reserved. Must Do vs. Should Do • The overlap amount of regulation and security varies org to org. • Driving Audit by regulation only leaves private non-regulated data free for the taking. Regulation SecurityPCI HIPAA NERC ISO EU MAS Data Addresses Names Passwords Int. Property Phone Numbers Salary 17
- 18. © 2015 Imperva, Inc. All rights reserved. Database Audit and Protection is a Cross-Departmental Function • Regulatory Compliance – IT Risk & Audit & DBAs • Corporate/Best Practice Policy Adherence – IT Risk & Audit, DBAs & Security • Forensic Data/Security Visibility - Security • Change Control Reconciliation – Security & DBAs • Measure DB Performance and Function - DBAs • Application Development Testing/Verification – DBAs & App Development • Etc… 18
- 19. © 2015 Imperva, Inc. All rights reserved. Overlapping Initiatives Common Requirements 19 • Sensitive Data Auditing • Data Theft Prevention • Data Across Borders Risk and legal • Database Virtual Patching • Change management and reconciliationIT • Malware and Targeted Attacks Defense • VIP Data Privacy • Ethical Walls Line of Business Assessment and Risk Management User Rights Management Audit and Reporting Attack Protection
- 20. © 2015 Imperva, Inc. All rights reserved. Map Requirements to an Data Audit and Protection Lifecycle Discover Assess Set Controls Audit & Secure Measure & Report Review, certify and investigate Sensitive data Vulnerabilities and security gaps Access rights and policies Monitor, alert and block 20
- 21. © 2015 Imperva, Inc. All rights reserved. Prioritize and Classify Your Risk 21 Cardholder Card Intellectual Property Email Financial Personal Information Data Classification Unauthorized Alert Access • Locate all databases • Find and classify sensitive information by policy, BU, etc... • Auto create protection and compliance policies from the result Discover SecureSphere Rogue SSN Credit Cards PII
- 22. © 2015 Imperva, Inc. All rights reserved. Stop Data Theft Before It Happens 22 PCI Data PCI Reports ATM & PIN Access Logs • Dynamic behavior profiling • Alerts and blocking • Malware detection integration (2 way) • Web Application Firewall (WAF) activity correlation Protect Hacker Database Users PCI Policies Security Policies
- 23. © 2015 Imperva, Inc. All rights reserved. • Dynamic behavior profiling • Alerts and blocking • Malware detection integration (2 way) • Web Application Firewall (WAF) activity correlation Protect Stop Data Theft Before It Happens 23 PCI Data PCI Reports ATM & PIN Hacker Database Users PCI Policies Security Policies Access Logs UPDATE orders set client ‘first Unusual Activity X Allow Block Network User, DBAs, Sys Admin X
- 24. Automate and Simplify Compliance 24 • Establish an automated access rights review process • OOTB policies, workflows and policy specific reports • Consistent deployment and enforcement across all systems Comply PCI, HIPAA, SOX… Dashboard, Policy specific and custom reports Email Alert SIEM - SPLUNK
- 25. © 2015 Imperva, Inc. All rights reserved. SecureSphere Deployment Architecture 25 MX Management MX Management Users • Flexible deployment • Fully transparent • Rapid deployment • High availability • Clustering • Appliance or virtual • Multiple modes: agent, spanning, bridge • Broad coverage • Out of the box content AWS cloud enabled Gateway Gateway
- 26. © 2015 Imperva, Inc. All rights reserved. “Imperva blows them away in terms of response time, time to resolution, and uptime of the system. I would put them at Best in Class. We essentially maintained 100% uptime over a 3 year period.” Ross, Bobenmoyer, VP Information Security, Republic Bancorp, September 2015 26
- 27. © 2015 Imperva, Inc. All rights reserved. Other Tips For Improving Security Posture 4 27
- 28. © 2015 Imperva, Inc. All rights reserved. Tips For Improving Overall Security Posture Web Application Security • Deploy WAF in front of all external web apps • Get real-time threat intelligence feeds • Foster secure web development practices • Schedule regular vulnerability scans for apps • Integrate with vulnerability scanners and SIEM • Ensure WAF provides flexible deployment options 28 Data Security • Have a plan and know desired results needed • Know and classify your data • Implement a universal platform and policies • Audit what matters – don’t audit what doesn’t • Constantly think security – TEST IT • Look to the future – scale, cloud, Big Data
- 29. © 2015 Imperva, Inc. All rights reserved. Perimeter Is Not Enough Q&A 3 29
- 30. © 2015 Imperva, Inc. All rights reserved. Imperva Technical Deep Dive Demo Series Upcoming Demos: • October 27: Imperva Incapsula DDoS Protection • November 3: Imperva Skyfence • November 10: Imperva SecureSphere Web Application Firewall • November 17: Imperva SecureSphere Database Activity Monitor Register Now: imperva.com/go/techdemo 4 30
- 32. © 2015 Imperva, Inc. All rights reserved.32 WAF Web Servers WAF for AWS and Azure Web Servers Imperva Cloud WAF/CDN On-Premises WAF WAF Web Servers External Facing Applications Internal Facing Applications B2B/Trusted Users & Networks On-Premises WAF WAF Web Servers ERP SharePoint Training HR Intranet Portal Development Etc… SSO or VPN Partner A Partner B Partner C Multi-Faceted Application Landscape
Notes de l'éditeur
- Why traditional security measures are not enough to prevent web attacks? Growth of security breaches, what %age are web application attacks What are the challenges with securing web application Why is network and endpoint security not enough What are the best practices for web application security? Focus moving towards securing Data, Applications, and Users How are IT/Security Ops trying to address challenges Key stakeholders and use-cases How are customers secure web applications on-premises/cloud? How can a WAF address these requirements What deployment scenarios should be supported
- With IT infrastructure going through a major transformation, protecting physical sites, networks, and endpoints protection is not enough – they could be compromised . IT security is now focused on protecting the top of the stack – Data, Applications, and Users. Physical transformation – As companies move to multiple geographies, all sites may not have same level of physical security Networks – with companies connected to suppliers and partners, flaws in network isolations create loop-holes. Target – a prime example Endpoints – with increasing use of BYOD, laptop’s and mobile devices may be compromised while they are outside the network. Data – moving from data centers to the cloud. Data is also exposed to insider threats (compromised/malicious insiders) Applications – more web apps and SaaS apps being developed to boost on-line business Users – User community is untrusted, because it could be anyone on the internet who has access to your website or cloud app
- As focus moves to Users, Applications, and Data, the main security questions that businesses need to ask are: Who has access to data from outside and inside the company? How are applications protected from web attacks and data breaches? Are we compliant to industry regulations and standards? <click> Company Assets include: Structured data in data bases Unstructured data in files Web applications which give user access to data How can you “holistically” secure data, applications, and users. <click> EXTERNAL THREATS: You have customers, partners, employees, and hackers, who can by-pass perimeter security and launch web-attacks – technical, logic, account takeover, and committing fraud.. <click> You can install a WAF in front of the web-applications to prevent these types attacks by installing a WAF in front of all external facing web applications. <click> In addition, WAF integrates with vulnerability scanners to automatically patch using WAF policies, and vulnerabilities detected in the app. <click> INTERNAL THREATS: You have employees, malicious insiders, and endpoints that have been already compromised by malware. You may not be monitoring Usage or User Rights, nor blocking Unauthorized access. <click> With DCAP (Data Centric Audit and Protection), you can centrally monitor and control access to all databases, SharePoint and files where the data resides. You can also discover and classify assets based on sensitivity, and monitor privileged access.
- Large scale data breaches continue to occur in spite of the money companies are spending on security defenses. Cyber criminals have stolen millions of records including user credentials, credit cards, SSN numbers, medical records and intellectual property. 75% of the cyber-attacks target web-applications according to Gartner Research, because they are easily accessible from the internet, and they provide lucrative entry points to valuable data. Web attacks are common because most websites today contain vulnerabilities. An average of 79 serious vulnerabilities exist per web-site according to WhiteHat website security stats. 1 in 5 vulnerabilities discovered on legitimate websites were considered critical – allow attackers to access sensitive data, alter websites content, compromise visitors computers As a result, data breaches due to web application attacks have been increasing. $5.85 M is the average cost per data breach accoring to the latest Ponemon Report
- Web Application Firewall protect in-coming HTTP traffic against web-based attacks that easily by-pass NG Firewalls, such as SQL-Injection, Cross Site Scripting, and those in the OWASP top-10. WAF customers can subscribe to the following Threat Radar services: Reputation: Insights based on reputation of source IP address Bot Protections: distinguishes threats coming from humans and bot networks Account Takeover protection: Protects website user accounts from attack and takeover – This a new subscription service is part of the latest SecureSpehere 11.5 release.
- The most critical capability of any WAF is accuracy. There are some user activities that are obviously bad that need to be blocked, and there are some activities that are clearly OK that should be allowed through. The hard part is dealing with that gray zone – with things that aren’t clearly bad or good at first glance. A WAF needs to be accurate, especially in this gray zone, so that it can stop the hackers and let your customers, partners and employees through. The best way to deal with that gray area is by inspecting web application traffic at multiple layers and correlating across the layers. Think about technical attacks that exploit application vulnerabilities through methods like SQL injection and cross-site scripting... You need to understand what’s normal application activity and what’s unusual activity. To do that, a WAF needs to learn applications by profiling use. And, that learning has to be ongoing, because applications are always changing and evolving, so learning should be dynamic. That is what Dynamic Profiling provides. Of course, you also need to look for, and stop, known patterns of bad behavior, using attack signatures. And, a WAF needs to identify when something is wrong with the HTTP mechanics – is someone is tampering with the protocol, with cookies, for example trying to hijack a user session. Again, to address technical attacks, you need to look at those layers and correlate across them. The same holds true for attacks on the business logic of applications via site scraping, comment spam, and application-layer DDoS. That’s where it’s important for a WAF to have IP reputation awareness, and bot identification and mitigation capabilities so it can recognize known malicious users or automated bots before they have the chance to scrape your site content or attack. Finally, WAFs should help prevent fraud by detecting user devices that are infected with malware, are suspicious or have performed fraudulent transactions in the past. Correlating across all of these defensive layers using pre-defined and custom policies delivers extremely accurate attack detection.
- If you compare Web Application Firewalls to Intrusion Prevention Systems and Next Generation Firewalls, the differences are clear. While these products may contain a handful of attack signatures, they are not effective at stopping Web application attacks. They do not have sophisticated security engines that can analyze Web application profile violations, keywords, and protocol violations together to correctly identify Web attacks. Secondly, they can’t stop threats like bots or protect cookies or sessions. They typically do not offer any type of reputation-based protection and if they do, it is focused on email spammers, not Web threats. Moreover, IPS’s cannot stop business logic attacks like site scraping and application DDoS and they can’t prevent Web fraud. In addition, many IPS products can’t even decrypt SSL traffic. +++++++++++++++++++++++++ Because of this, IPS’s suffer from a high rate of false positives and false negatives when attempting to stop Web application attacks. In addition, it is easy for hackers to evade them by using encoding or exploiting custom application vulnerabilities. Businesses that wish to avoid the painful consequences of a Web application attack need to deploy a Web application firewall.
- Any WAF solution should provide flexible and scalable deployment options On-Premises WAF: Protects on-prem web-sites with an on-prem WAF solution, with HA and load-balancing capabilities Cloud-based WAF: Protects on-prem web-sites with a cloud-based WAF solution, with HA, load-balancing and volumetric DDoS protection. Web-traffic is routed through cloud-based WAF, via DNS redirection. Nothing deployed on customer site. WAF deployed in Hosted-sites: Protects web-sites using virtual instances of WAF in a hosting site – like Amazon AWS or Azure or Hybrid envirnmnets. Supports auto-scaling.
- Gartner Magic Quadrant Imperva has consistently innovated and led the market for data security, as the Gartner Magic Quadrant for Web Application Firewalls shows. If you’re not familiar with Web Application Firewalls, or WAFs as we call them, Gartner describes them by saying they provide “protection for custom Web applications that would otherwise go unprotected by other technologies.” In other words, the applications that drive business for organizations are exposed without a WAF. We are the Leader in this Magic Quadrant, which demonstrates our ability to deliver value to customers and outpace not just the competition, but more importantly, the hackers. What Gartner says about Leaders is that “In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for anticipated requirements.” You can see that every other vendor finds themselves falling short on the Vision dimension. Challengers are typically selling a WAF as a bolt-on afterthought to their main product line. And Niche Players are focused on a regional market or narrow use cases. What that means in practical terms is that the other vendors here are not focused on data center security. We are unique in our vision and our ability to deliver on that vision. Credit: Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Greg Young, Joseph Feiman, 17 June 2014
- The requirements for data security and auditing are complex PCI, Sox, JSOX, Compromised insiders, investigations, reporting, Adding to the complexity is the legacy of multi department silos, with each team addressing it’s own set of responsibilities using their own tools and processes
- Here is a listing of the typical customer use cases focused on data compliance and protection and the typical project owner” Let me quickly summarize each use case: Sensitive Data Auditing is the primary use cases for compliance. Here, the customer has to collect and report on database access events to credit card and financial data as required by PCI and SOX. The Data Theft Prevention use case is about a customer that was hacked and lost both credit card and Personally Identifiable Information. They used our products to protect both their web applications and the databases storing this sensitive information. Data Across Borders highlights a customer that was opening a new datacenter in Germany and had to comply with the German Data Protection laws ensuring that any non-German Database Administrator was prevented from accessing data from German citizens. Database Virtual Patching is about a customer that runs a database vulnerability scans to discover missing database patches. Next, they create virtual patches to protect those databases until their DBA team schedules time to apply the vendor patches. Change Reconciliation is a use case detailing how a customer met their SOX compliance requirements by tracing database changes back to a change ticket. Protecting sensitive data from “Very Important People” is the focus of the VIP Data Privacy user case. This is a security use case explaining how to implement access controls and user rights reviews to protect sensitive data. Ethical Walls discusses how a customer was able to segregate data access from a business unit that they were selling. While your list may includes some of these or additional use cases, there is a commonality across all of these and many more. Next we’re going to review these use cases and introduce the key capabilities within our Database Security Suite that each customer used to address their challenges. [CLICK]
- Here’s a five step process that includes an actionable set of steps for a manageable and smooth SOX compliance effort. Using this process, IT managers will be able to satisfy the compliance requirements of auditors, as well as ensure business alignment, satisfactory control, and robust security in their IT systems. First you need to discover sensitive data across the enterprise and gather risk profile for the different data sets. There is a need to take a top-down, risk-based approach to ensure that sufficient and appropriate attention is given to areas of highest risk. Then the next step is to assess the discovered infrastructure (servers, databases) and identify, report and remediate vulnerabilities, misconfigurations and gaps in security best practices. SOX requires restricting user access to sensitive data based on business need to know. You need to set controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application. The fourth step of the compliance framework is audit & secure. You need to continuously audit and secure alert on significant changes in a person’s usage of financial data so administrators can ensure these changes are in line with compliance policies and prevent fraudulent activity. and, you need to measure and report to demonstrate that configuration and usage are within best practice guidelines. To do it consistently across a heterogeneous environment you need a single platform with the ability to manage and deploy policies and controls automatically
- Locate all databases Find and classify sensitive information Auto-create protection and compliance policies from results Find and remediate excessive rights and dormant users ………….. This capability is valuable to nearly every database security use case. Before you can begin auditing and monitoring database activity, you need to know where your data is. Our Discovery and Classification capabilities will help you not only identify active database services, but more importantly, those that contain sensitive data. We can scan your network and report back on all active databases. Having an accurate database inventory will help you to scope your auditing and monitoring activities, but also identify new databases that you might not know about…we sometimes refer to these are rogue databases. Obviously these can pose a risk to your business, especially if they are using production data. In addition, once these databases are discovered, you have the ability to automatically apply a general audit policy so that you can begin to capture audit details immediately. To further assist in defining scope, SecureSphere can then create a map of database objects that contain sensitive data. For example, we can define database tables that contain credit card numbers, email address and other personally identifiable information or PII. And, because SecureSphere is highly configurable it’s easy to create your own search criteria.
- [CLICK] An electronic payment processor needed to monitor database activity to comply with PCI section 10. They had deployed our Database Activity Monitoring product, applied PCI specific policies and were collecting PCI data and generating reports for their auditors. [CLICK] During review of the audit logs, their ITSecurity team discovered some suspicious activity…ATM card numbers and associated PINs were being stolen by an outside hacker. The business challenge quickly evolved to include stopping data theft [CLICK] They next applied some Security Policies that collected all of the details of the illicit activity and then turned over the access logs to the authorities who conducted forensics and ultimately apprehended the cyber criminals Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
- Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
- Big Data, databases, file servers and SharePoint OOTB policies and reports (HIPPA, SOX, PCI…) Remediation workflows Tamper-proof audit trail Configuration and vulnerability management Pan-estate audit reporting with drill-down dashboard
- Tips for Improving Web Application Security Posture: Deploy WAF in front of all web applications, in addition to perimeter controls Ensure WAF is getting real-time threat intelligence feeds to block advanced attacks Foster secure web application development when possible Schedule regular vulnerability scans of all externally facing web applications Integrate WAF with vulnerability scanners and SIEM solutions for mitigation and IR Ensure WAF provides flexible deployment options – on-premises, cloud, hosting environments
- Any WAF solution should provide flexible and scalable deployment options On-Premises WAF: Protects on-prem web-sites with an on-prem WAF solution, with HA and load-balancing capabilities Cloud-based WAF: Protects on-prem web-sites with a cloud-based WAF solution, with HA, load-balancing and volumetric DDoS protection. Web-traffic is routed through cloud-based WAF, via DNS redirection. Nothing deployed on customer site. WAF deployed in Hosted-sites: Protects web-sites using virtual instances of WAF in a hosting site – like Amazon AWS or Azure or Hybrid envirnmnets. Supports auto-scaling.