building your own waf as a service and forgetting about
play

Building Your Own WAF as a Service and Forgetting about False - PowerPoint PPT Presentation

Jun 21, 2023 •209 likes •780 views

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me Lead security developer @Booking.com Twitter: @89berner medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting

  1. Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1

  2. About me ● Lead security developer @Booking.com ● Twitter: @89berner ● medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  3. WAF? ● Web Application Firewall ● Mainly used to protect against Application Attacks ● SQLi, RCE, Protocol Violations, Rate Limiting ... 3 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  4. Deployment mode - Inline ● Pros: ○ Traffic inspection ○ Ability to block ○ Transparent for web servers ● Cons: ○ Network placement ○ Latency 4 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  5. Deployment mode - Out of band ● Pros: ○ Traffic inspection ○ Transparent for web servers ○ Simpler network placement ● Cons: ○ Can’t block attacks ○ PFS 5 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  6. Deployment mode - Agent ● Pros: ○ Easier network placement ○ Simple to scale ● Cons: ○ More invasive on deployment environment ○ Can be less efficient on resource allocation 6 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  7. Deployment mode - Cloud ● Pros: ○ Simple to setup and scale ○ Network effect ● Cons: ○ Out of your control ○ Latency 7 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  8. Caveats with typical WAF Solutions ● Network placement ● False positive rate ● Lack of control from developers 8 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  9. A challenging environment ● No acceptance for false positives ● Reluctance towards commercial appliances ● Blocking could only happen through the Application ● Latency would not be acceptable 9 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  10. Building the WAF as a Service ● Removes false positives by having an understanding of the application context ● No need for an appliance, just add an API call ● Blocking behaviour is decided by the application ● Ability to avoid latency for regular users 10 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  11. How could you build one? ● Open source components already exist ● Creating a log processing pipeline ● Building a WAF API ● Library for logs and calling API 11 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  12. Study case: Simple web application ● Setup in Google Cloud ● Simple Flask Application ● Code available in github 12 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  13. Deployment mode? ● Let’s compare 13 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  14. Out of band mode 14 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  15. Inline mode 15 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  16. Every application is different ● Threat model ● FP tolerance ● Risk acceptance 16 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  17. Finding a middle ground ● Out of band mode removes latency concerns on users ● Inline mode provides security by blocking attacks ● Could we get the best of both worlds? 17 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  18. Hybrid mode 18 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  19. Components - Web application ● Can decide which mode to work on ○ Inline ○ Out of band ● Sends logs with partial request data encrypted Example: Flask API 19 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  20. Components - Agent ● Acts as a proxy to Web Application ● Minimal footprint ● Application agnostic ● Gets settings from application 20 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  21. Components - Agent 21 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  22. Components - Library ● Simpler to implement ● Will be tied to Application framework ● Inherent risks ● Strategy for this talk 22 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  23. Components - Historical database ● Historical activity ● Business value ● Patterns of behaviour for FP 23 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  24. Components - State store ● Allows to store configuration ● Ideally fast lookup for caching 24 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  25. Components - Log streaming ● Streaming pipeline ● Web requests are encapsulated and sent through it Google PusbSub 25 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  26. Components - Log processing ● Replays events not in line against WAF ● Calculates scores through windows of time Google Dataflow 26 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  27. Components - Log processing 27 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  28. Components - Log processing 28 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  29. Components - Log processing 29 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  30. Components - WAF service ● Pluggable architecture ● Parallel nature of their components ● Applications can decide how to react 30 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  31. Components - WAF service ● Open source components ○ Modsecurity ○ Naxsi 31 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  32. Components - WAF service ● Custom modules ○ Apply custom business logic ○ Implement simple services ■ Rate limiting ■ Rule engine for blocking ○ ML models 32 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  33. Components - WAF service ● Proprietary software or appliances ○ Reduced complexity of installation ○ Simple way of evaluation 33 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  34. WAF service - Example: Modsecurity ● Could be made api driven through libModSecurity ● Can run on Apache HTTP Server or NGINX ● Results are written as logs 34 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  35. WAF service - Modsecurity as an API ● SecRule REMOTE_ADDR "@unconditionalMatch" "phase:4,id:999434,prepend: ... 35 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  36. WAF service - Modsecurity as an API ● Implementing response body analysis ● Body is sent to CGI for replay 36 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  37. WAF service 37 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  38. How to block? ● We decide when to send traffic to the WAF ● Manually or automatically decided 38 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  39. Traffic routing ● Fingerprint based routing ○ Blocks based on scores ○ IP, client_id, combinations, 0day fingerprints.. ○ Added automatically or manually 39 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  40. Traffic routing ● Net block based routing ○ ISP ○ Hosting providers ○ Tor exit nodes / Proxies 40 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  41. Traffic routing ● Virtual Patching ○ Always route particular vulnerable endpoints ○ Select for combination of parameters if needed ○ Example: website.com/? vuln_param = 41 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  42. FP rate management ● Detection FP vs blocking FP ● Key to allow blocking without impacting users ● Acceptable rate might change per application 42 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  43. FP rate management ● Business logic ○ How trustworthy is a user/ip? ○ Key business activity ○ What would be the impact on blocking them 43 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  44. FP rate management ● Historical Analysis ○ How normal is this type of request for this endpoint? ○ How does this user compare with others ○ How common are detection FP in this endpoint 44 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner Juan Berner @89berner Lead security developer @Booking.com Blog:

694 views • 58 slides
Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza msm622@nyu.edu Cyber Security & Privacy Lab (CSP-lab) Digital Forgetting Right to Right to be Privacy Forgotten constitutes data

466 views • 22 slides
Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying Fan 1 Introduction: 1.1 Catastrophic Forgetting: Goal of class-incremental learning is to learn a model that performs well on previous and new

221 views • 11 slides
1 Building a culture of great service Trends around the challenges: Employees are not

1 Building a culture of great service Trends around the challenges: Employees are not

Building a culture of great service BuildINg a CuLTURE of Great sErvice For With Joanie Hal es and Tabitha Mason Your Hosts: Building a culture of great service Joanie Hal es Tabitha Mason Trainer Managing Partner ZingTrain Cornman

607 views • 6 slides
The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day reviewing what you learned in each class Sometimes I will give you homework to force you to review, but not always Discuss with partner Look

227 views • 5 slides
Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan Chaudhry et al. Presented by Milo Prgr Pattern Recognition and

653 views • 39 slides
The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again and again The Requirements: Pack all the needed things in one place - so I dont forget it Minimize the set-up time Reduce equipment

357 views • 16 slides
How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION A BIT ABOUT SPACED LEARNING You will forget at least some of what you learned if you do not review it. R eviewing something around

568 views • 31 slides
Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Update on Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management Necessary capability for UIT Embraces the ITIL framework NEEDED: a service management platform ITSM Platform Services

560 views • 43 slides
Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name service? How do we find services in a cluster? Clusters have 1000s of machines running Registering and querying needs to be dynamic

831 views • 8 slides
Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M. Salzmann, C. Musat 1 The Weight Sharing In One of the first NAS papers using Reinforcement Learning, Zoph et Al. (Google) used more than 800 gpus

352 views • 8 slides
Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research Talk, May 9, 2014 University of Twente, Enschede Speaker: Nattiya Kanhabua L3S Research Center / University of Hannover ForgetIT Project Consortium

640 views • 35 slides
CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course learning to service Volunteerism Serve it UP! Cross-divisional Signature Service Day Community Service CSUCI Corps CSUCI CORPS

488 views • 13 slides
Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some information may be proprietary and therefore questions about it may not be answered Some information we may chose not to comment on for other reasons

397 views • 37 slides
EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE Approximately 60 % information in class is forgotten after 9 hours Writing down notes increases active listening = better retention HIGH SCHOOL COLLEGE

367 views • 11 slides
Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based systems Loose Coupling Bounded Contexts Autonomy Ease of scaling Composability But when we do, were building a distributed system

1.96k views • 138 slides
Tor: a quick overview Roger Dingledine The Tor Project https://torproject.org/ 1 What is Tor?

Tor: a quick overview Roger Dingledine The Tor Project https://torproject.org/ 1 What is Tor?

Tor: a quick overview Roger Dingledine The Tor Project https://torproject.org/ 1 What is Tor? Online anonymity 1) open source software, 2) network, 3) protocol Community of researchers, developers, users, and relay operators Funding from

910 views • 64 slides
W3C Technology & Society @W3C / MIT CSAIL Wendy Seltzer, wseltzer@w3.org @wseltzer World

W3C Technology & Society @W3C / MIT CSAIL Wendy Seltzer, wseltzer@w3.org @wseltzer World

W3C Technology & Society @W3C / MIT CSAIL Wendy Seltzer, wseltzer@w3.org @wseltzer World Wide Web Consortium (W3C) Voluntary standard-setting. Stewarding the Open Web Platform. ~400 Member organizations, thousands of participants

314 views • 14 slides
Introduction to offCPU Time Flame Graphs agentzh@cloudflare.com Yichun Zhang (agentzh)

Introduction to offCPU Time Flame Graphs agentzh@cloudflare.com Yichun Zhang (agentzh)

Introduction to offCPU Time Flame Graphs agentzh@cloudflare.com Yichun Zhang (agentzh) 2013.08.22 Classic Flame Graphs are on CPU time Flame Graphs per se. We are already relying on them to optimize our Lua WAF & Lua CDN

1.37k views • 73 slides
Overview Overview Grid/NetSolve Grid enabled software Allows easy access to remote

Overview Overview Grid/NetSolve Grid enabled software Allows easy access to remote

GridSolve: A Seamless Bridge Between : A Seamless Bridge Between GridSolve the Standard Programming Interfaces the Standard Programming Interfaces and Remote Resources and Remote Resources Jack Dongarra University of Tennessee and Oak

407 views • 11 slides
Cancer Epidemiology and Prevention Course EPIB 671 Eduardo L. Franco, James McGill Professor and

Cancer Epidemiology and Prevention Course EPIB 671 Eduardo L. Franco, James McGill Professor and

Department of Epidemiology, Biostatistics, and Occupational Health May 2016 Cancer Epidemiology and Prevention Course EPIB 671 Eduardo L. Franco, James McGill Professor and Chairman Department of Oncology Director, Cancer Epidemiology Unit

2.17k views • 180 slides
All About Blood Alcohol Content (BAC) Disclaimer: The contents of this presentation are Ph.

All About Blood Alcohol Content (BAC) Disclaimer: The contents of this presentation are Ph.

DUI/DWI Law in NY- All About Blood Alcohol Content (BAC) Disclaimer: The contents of this presentation are Ph. 845-459-0002, 800-579-1605 general in nature. Please use your discretion E-Mail: info@reuvenjepsteinlaw.com while following them.

283 views • 7 slides
DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or

DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or

DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or certificate of attendance through TRAIN at: https://tx.train.org Streamlined registration for individuals not requesting CE hours or a certificate of

999 views • 67 slides
Large Truck Crash Misconceptions Ralph Craft, Ph.D. Analysis Division Webinar April 5, 2011

Large Truck Crash Misconceptions Ralph Craft, Ph.D. Analysis Division Webinar April 5, 2011

Large Truck Crash Misconceptions Ralph Craft, Ph.D. Analysis Division Webinar April 5, 2011 Office of Research and Information Technology Data Sources Large Truck Crash Causation Study (LTCCS), 2001- 2003, FMCSA National Motor Vehicle

525 views • 13 slides

More recommend