building your own waf as a service and forgetting about
play

Building Your Own WAF as a Service and Forgetting about False - PowerPoint PPT Presentation

Mar 24, 2024 •104 likes •694 views

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner Juan Berner @89berner Lead security developer @Booking.com Blog:

  1. Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  2. Juan Berner @89berner Lead security developer @Booking.com Blog: medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  3. Overview ● Introduction to WAF & deployment modes ● WAF as a service ● Blocking attacks without false positives or increased latency ● Demo 3 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  4. WAF? ● Web Application Firewall ● Mainly used to protect against Application Attacks ● SQLi, RCE, Protocol Violations, Rate Limiting ... 4 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  5. Deployment mode - Inline ● Pros: ○ Traffic inspection ○ Ability to block ○ Transparent for web servers ● Cons: ○ Network placement ○ Latency 5 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  6. Deployment mode - Out of band ● Pros: ○ Traffic inspection ○ Transparent for web servers ○ Simpler network placement ● Cons: ○ Can’t block attacks ○ PFS 6 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  7. Deployment mode - Agent ● Pros: ○ Easier network placement ○ Simple to scale ● Cons: ○ More invasive on deployment environment ○ Can be less efficient on resource allocation 7 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  8. Deployment mode - Cloud ● Pros: ○ Simple to setup and scale ○ Network effect ● Cons: ○ Out of your control ○ Latency added 8 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  9. Caveats with typical WAF Solutions ● Network placement ● Availability and performance concerns ● False positive rate ● Lack of control from developers 9 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  10. Building the WAF as a Service ● Removes FP by having an understanding of the application context ● No need for an appliance, just add an API call ● Blocking behaviour is decided by the application ● Ability to avoid latency for regular users 10 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  11. How could you build one? ● Open source components already exist ● Creating a log processing pipeline ● Building a WAF API ● Library for logs and calling API 11 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  12. Case study: Web application ● Setup in Google Cloud ● Flask microframework ● Code available in github 12 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  13. Finding a middle ground ● Out of band mode removes concerns of latency added to users ● Inline mode provides security by blocking attacks ● Could we get the best of both worlds? 13 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  14. Components - Web application 14 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  15. Components - Web application ● Can decide which mode to work on ○ Inline ○ Out of band ● Sends logs with partial request data encrypted Example: Flask 15 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  16. Components - Agent ● Acts as a reverse proxy ● Minimal footprint ● Application agnostic ● Can get settings from the application 16 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  17. Components - Library ● Simple to implement ● Inherent risks ● Strategy for this talk 17 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  18. Components - WAF service 18 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  19. Components - WAF service ● Pluggable architecture ● Parallel nature of their components ● Applications can decide how to react 19 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  20. Components - WAF service ● Open source components ○ Modsecurity ○ Naxsi 20 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  21. Components - WAF service ● Proprietary software or appliances ○ Reduced complexity of installation ○ Simple way of evaluation 21 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  22. Components - WAF service ● Custom modules ○ Apply custom business logic ○ Implement simple services ■ Rate limiting ■ Rule engine for blocking ○ ML models 22 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  23. WAF service 23 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  24. Components - Log processing 24 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  25. Components - Log processing ● Replays logs that were not in line against WAF ● Calculates scores through windows of time Google Dataflow 25 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  26. Components - Detection 26 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  27. Components - Detection ● Triggered by Log Processing ● Business value ● Patterns of behaviour for FP 27 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  28. Components - State store 28 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  29. Components - State store ● Allows to store configuration ● Ideally fast lookup for caching 29 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  30. Components - Visualisation 30 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  31. Components - Visualisation ● Easily understand activity ● Visibility on attacks ● Performance metrics Example: ELK 31 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  32. Components - Visualisation 32 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  33. Components - Visualisation 33 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  34. Components - Management 34 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  35. How to block? ● Detection decides when to send traffic to the WAF ● Can also be triggered manually 35 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  36. Traffic routing ● Fingerprint based routing ○ Blocks based on scores ○ IP, client_id, combinations, 0day signatures .. ○ Added automatically or manually 36 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  37. Traffic routing ● Net block based routing ○ ISP ○ Hosting providers ○ Tor exit nodes / Proxies 37 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  38. Traffic routing ● Virtual Patching ○ Always route particular vulnerable endpoints ○ Select for combination of parameters if needed ○ Example: website.com/? vuln_param = 38 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  39. FP rate management ● Detection FP vs blocking FP ● Key to allow blocking without impacting users ● Acceptable rate might change per application ● Tuning can become unbearable in highly changing applications 39 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  40. FP rate management ● Business logic ○ How trustworthy is a user/ip? ○ Key business activity ○ What would be the impact on blocking them 40 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  41. FP rate management ● Historical Analysis ○ How normal is this type of request for this endpoint? ○ How does this user compare with others ○ How common are detection FP in this endpoint 41 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  42. FP rate management ● Context analysis ○ How many times have they triggered a FP ○ How many requests have they sent 42 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  43. FP rate management ● Example: Sleep( ○ message=“I will sleep(1 or 2 days)” ■ Might be detected as SQLI ■ Probability of FP is independent from each other 43 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  44. FP rate management ● Independant SQLI FP rate: 0.1% ● Our aim, 0.00001% (0.01^5) ● Score needed => 5 * Reputation Score ● Aimed at attacks that need volume 44 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me Lead security developer @Booking.com Twitter: @89berner medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting

780 views • 56 slides
Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza msm622@nyu.edu Cyber Security & Privacy Lab (CSP-lab) Digital Forgetting Right to Right to be Privacy Forgotten constitutes data

466 views • 22 slides
Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying Fan 1 Introduction: 1.1 Catastrophic Forgetting: Goal of class-incremental learning is to learn a model that performs well on previous and new

221 views • 11 slides
1 Building a culture of great service Trends around the challenges: Employees are not

1 Building a culture of great service Trends around the challenges: Employees are not

Building a culture of great service BuildINg a CuLTURE of Great sErvice For With Joanie Hal es and Tabitha Mason Your Hosts: Building a culture of great service Joanie Hal es Tabitha Mason Trainer Managing Partner ZingTrain Cornman

607 views • 6 slides
The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day reviewing what you learned in each class Sometimes I will give you homework to force you to review, but not always Discuss with partner Look

227 views • 5 slides
Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan Chaudhry et al. Presented by Milo Prgr Pattern Recognition and

653 views • 39 slides
The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again and again The Requirements: Pack all the needed things in one place - so I dont forget it Minimize the set-up time Reduce equipment

357 views • 16 slides
How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION A BIT ABOUT SPACED LEARNING You will forget at least some of what you learned if you do not review it. R eviewing something around

568 views • 31 slides
Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Update on Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management Necessary capability for UIT Embraces the ITIL framework NEEDED: a service management platform ITSM Platform Services

560 views • 43 slides
Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name service? How do we find services in a cluster? Clusters have 1000s of machines running Registering and querying needs to be dynamic

831 views • 8 slides
Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M. Salzmann, C. Musat 1 The Weight Sharing In One of the first NAS papers using Reinforcement Learning, Zoph et Al. (Google) used more than 800 gpus

352 views • 8 slides
Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research Talk, May 9, 2014 University of Twente, Enschede Speaker: Nattiya Kanhabua L3S Research Center / University of Hannover ForgetIT Project Consortium

640 views • 35 slides
CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course learning to service Volunteerism Serve it UP! Cross-divisional Signature Service Day Community Service CSUCI Corps CSUCI CORPS

488 views • 13 slides
Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some information may be proprietary and therefore questions about it may not be answered Some information we may chose not to comment on for other reasons

397 views • 37 slides
EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE Approximately 60 % information in class is forgotten after 9 hours Writing down notes increases active listening = better retention HIGH SCHOOL COLLEGE

367 views • 11 slides
Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based systems Loose Coupling Bounded Contexts Autonomy Ease of scaling Composability But when we do, were building a distributed system

1.96k views • 138 slides
A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang, Jianmin Wang Tsinghua University, China chenjun14@mails.tsinghua.edu.cn, {chaokun, jimwang}@tsinghua.edu.cn AAAI-15 28-Jan-15 1 Review on

366 views • 19 slides
Not that I have already obtained this or am already perfect, but I press on to make it my own,

Not that I have already obtained this or am already perfect, but I press on to make it my own,

Philippians 3:12-16 (ESV) Not that I have already obtained this or am already perfect, but I press on to make it my own, because Christ Jesus has made me his own. 13 Brothers, I do not consider that I have made it my own. But one thing I do:

299 views • 11 slides
Questionnaire Design II Department of Political Science and Government Aarhus University October

Questionnaire Design II Department of Political Science and Government Aarhus University October

Construct Validity Recall-type Questions Sensitive Topics Preview of Next Time Questionnaire Design II Department of Political Science and Government Aarhus University October 6, 2014 Construct Validity Recall-type Questions Sensitive

638 views • 38 slides
The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois June, 2011 (INRIA ) 1 / 21 Introduction Goal of my talk : explore different types of routing policies (selfish/social, with/without memory) in a

312 views • 28 slides
Federal student loans First, take inventory Private Check to see if you have federal or

Federal student loans First, take inventory Private Check to see if you have federal or

2/18/2016 Public Service Loan Forgiveness and the new Revised Pay As You Earn (REPAYE) Todays Plan Which loans are which and why it matters Put private student loans in their place Evaluating federal student loan repayment

296 views • 7 slides
DYNAMICS OF A BISTABLE FRUSTRATED UNIT Hildegard Meyer-Ortmanns Jacobs University Bremen The

DYNAMICS OF A BISTABLE FRUSTRATED UNIT Hildegard Meyer-Ortmanns Jacobs University Bremen The

DYNAMICS OF A BISTABLE FRUSTRATED UNIT Hildegard Meyer-Ortmanns Jacobs University Bremen The bistable frustrated unit in its deterministic description Frustration in excitable units, effect on the attractor landscape Stochastic

720 views • 34 slides
Frustration-driven magnetic order on the Shastry-Sutherland lattice Pinaki Sengupta Nanyang

Frustration-driven magnetic order on the Shastry-Sutherland lattice Pinaki Sengupta Nanyang

Frustration-driven magnetic order on the Shastry-Sutherland lattice Pinaki Sengupta Nanyang Technological University Singapore Workshop on Current Trends in Frustrated Magnetism Jawaharlal Nehru University, New Delhi 10 th Feb., 2015

413 views • 19 slides
Janus Rau Sorensen User Research Manager (januss@crystald.com / januss@ioi.dk) Io Interactive +

Janus Rau Sorensen User Research Manager (januss@crystald.com / januss@ioi.dk) Io Interactive +

Arrrgghh!!! Blending Quantitative and Qualitative User Research Methods to Detect Player Frustration Janus Rau Sorensen User Research Manager (januss@crystald.com / januss@ioi.dk) Io Interactive + Crystal Dynamics (Square Enix) User research

622 views • 16 slides

More recommend