building your own waf as a service and forgetting about
play

Building Your Own WAF as a Service and Forgetting about False - PowerPoint PPT Presentation

Jun 21, 2023 •209 likes •780 views

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me Lead security developer @Booking.com Twitter: @89berner medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting

  1. Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1

  2. About me ● Lead security developer @Booking.com ● Twitter: @89berner ● medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  3. WAF? ● Web Application Firewall ● Mainly used to protect against Application Attacks ● SQLi, RCE, Protocol Violations, Rate Limiting ... 3 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  4. Deployment mode - Inline ● Pros: ○ Traffic inspection ○ Ability to block ○ Transparent for web servers ● Cons: ○ Network placement ○ Latency 4 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  5. Deployment mode - Out of band ● Pros: ○ Traffic inspection ○ Transparent for web servers ○ Simpler network placement ● Cons: ○ Can’t block attacks ○ PFS 5 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  6. Deployment mode - Agent ● Pros: ○ Easier network placement ○ Simple to scale ● Cons: ○ More invasive on deployment environment ○ Can be less efficient on resource allocation 6 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  7. Deployment mode - Cloud ● Pros: ○ Simple to setup and scale ○ Network effect ● Cons: ○ Out of your control ○ Latency 7 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  8. Caveats with typical WAF Solutions ● Network placement ● False positive rate ● Lack of control from developers 8 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  9. A challenging environment ● No acceptance for false positives ● Reluctance towards commercial appliances ● Blocking could only happen through the Application ● Latency would not be acceptable 9 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  10. Building the WAF as a Service ● Removes false positives by having an understanding of the application context ● No need for an appliance, just add an API call ● Blocking behaviour is decided by the application ● Ability to avoid latency for regular users 10 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  11. How could you build one? ● Open source components already exist ● Creating a log processing pipeline ● Building a WAF API ● Library for logs and calling API 11 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  12. Study case: Simple web application ● Setup in Google Cloud ● Simple Flask Application ● Code available in github 12 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  13. Deployment mode? ● Let’s compare 13 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  14. Out of band mode 14 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  15. Inline mode 15 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  16. Every application is different ● Threat model ● FP tolerance ● Risk acceptance 16 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  17. Finding a middle ground ● Out of band mode removes latency concerns on users ● Inline mode provides security by blocking attacks ● Could we get the best of both worlds? 17 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  18. Hybrid mode 18 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  19. Components - Web application ● Can decide which mode to work on ○ Inline ○ Out of band ● Sends logs with partial request data encrypted Example: Flask API 19 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  20. Components - Agent ● Acts as a proxy to Web Application ● Minimal footprint ● Application agnostic ● Gets settings from application 20 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  21. Components - Agent 21 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  22. Components - Library ● Simpler to implement ● Will be tied to Application framework ● Inherent risks ● Strategy for this talk 22 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  23. Components - Historical database ● Historical activity ● Business value ● Patterns of behaviour for FP 23 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  24. Components - State store ● Allows to store configuration ● Ideally fast lookup for caching 24 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  25. Components - Log streaming ● Streaming pipeline ● Web requests are encapsulated and sent through it Google PusbSub 25 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  26. Components - Log processing ● Replays events not in line against WAF ● Calculates scores through windows of time Google Dataflow 26 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  27. Components - Log processing 27 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  28. Components - Log processing 28 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  29. Components - Log processing 29 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  30. Components - WAF service ● Pluggable architecture ● Parallel nature of their components ● Applications can decide how to react 30 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  31. Components - WAF service ● Open source components ○ Modsecurity ○ Naxsi 31 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  32. Components - WAF service ● Custom modules ○ Apply custom business logic ○ Implement simple services ■ Rate limiting ■ Rule engine for blocking ○ ML models 32 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  33. Components - WAF service ● Proprietary software or appliances ○ Reduced complexity of installation ○ Simple way of evaluation 33 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  34. WAF service - Example: Modsecurity ● Could be made api driven through libModSecurity ● Can run on Apache HTTP Server or NGINX ● Results are written as logs 34 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  35. WAF service - Modsecurity as an API ● SecRule REMOTE_ADDR "@unconditionalMatch" "phase:4,id:999434,prepend: ... 35 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  36. WAF service - Modsecurity as an API ● Implementing response body analysis ● Body is sent to CGI for replay 36 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  37. WAF service 37 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  38. How to block? ● We decide when to send traffic to the WAF ● Manually or automatically decided 38 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  39. Traffic routing ● Fingerprint based routing ○ Blocks based on scores ○ IP, client_id, combinations, 0day fingerprints.. ○ Added automatically or manually 39 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  40. Traffic routing ● Net block based routing ○ ISP ○ Hosting providers ○ Tor exit nodes / Proxies 40 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  41. Traffic routing ● Virtual Patching ○ Always route particular vulnerable endpoints ○ Select for combination of parameters if needed ○ Example: website.com/? vuln_param = 41 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  42. FP rate management ● Detection FP vs blocking FP ● Key to allow blocking without impacting users ● Acceptable rate might change per application 42 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  43. FP rate management ● Business logic ○ How trustworthy is a user/ip? ○ Key business activity ○ What would be the impact on blocking them 43 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

  44. FP rate management ● Historical Analysis ○ How normal is this type of request for this endpoint? ○ How does this user compare with others ○ How common are detection FP in this endpoint 44 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

Recommend

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF

Building Your Own WAF as a Service and Forgetting about False Positives 1 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner Juan Berner @89berner Lead security developer @Booking.com Blog:

694 views • 58 slides
Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza msm622@nyu.edu Cyber Security & Privacy Lab (CSP-lab) Digital Forgetting Right to Right to be Privacy Forgotten constitutes data

466 views • 22 slides
Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying

Overcoming Catastrophic Forgetting with Unlabeled Data in the Wild Presenters: Nikhil Kannan, Ying Fan 1 Introduction: 1.1 Catastrophic Forgetting: Goal of class-incremental learning is to learn a model that performs well on previous and new

221 views • 11 slides
1 Building a culture of great service Trends around the challenges: Employees are not

1 Building a culture of great service Trends around the challenges: Employees are not

Building a culture of great service BuildINg a CuLTURE of Great sErvice For With Joanie Hal es and Tabitha Mason Your Hosts: Building a culture of great service Joanie Hal es Tabitha Mason Trainer Managing Partner ZingTrain Cornman

607 views • 6 slides
The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day

The Curve of Forgetting General recommendation is to spend about 5-10 minutes every day reviewing what you learned in each class Sometimes I will give you homework to force you to review, but not always Discuss with partner Look

227 views • 5 slides
Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan Chaudhry et al. Presented by Milo Prgr Pattern Recognition and

653 views • 39 slides
The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again

The Problem: Forgetting to bring all the radio gear to Field Day and other events.again and again The Requirements: Pack all the needed things in one place - so I dont forget it Minimize the set-up time Reduce equipment

357 views • 16 slides
How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION

How hard can GCSES they be? W hat want? you do EBBINGHAUS AND THE FORGETTING CURVE REVISION A BIT ABOUT SPACED LEARNING You will forget at least some of what you learned if you do not review it. R eviewing something around

568 views • 31 slides
Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management

Update on Service Management Platform UIT Top 5 Fall 2013 Building a service culture Service Management Necessary capability for UIT Embraces the ITIL framework NEEDED: a service management platform ITSM Platform Services

560 views • 43 slides
Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name

Building a Name Service with ZooKeeper Albert Kim Motivation Question: Why do we want a name service? How do we find services in a cluster? Clusters have 1000s of machines running Registering and querying needs to be dynamic

831 views • 8 slides
Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M.

Overcoming Multi-Model Forgetting Y. Benyahia, K. Yu, K. Bennani-Smires, M. Jaggi, A. Davison, M. Salzmann, C. Musat 1 The Weight Sharing In One of the first NAS papers using Reinforcement Learning, Zoph et Al. (Google) used more than 800 gpus

352 views • 8 slides
Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research Talk, May 9, 2014 University of Twente, Enschede Speaker: Nattiya Kanhabua L3S Research Center / University of Hannover ForgetIT Project Consortium

640 views • 35 slides
CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course

CSUCI STEM CORPS Building a Culture of Service Academic Service-Learning Applying course learning to service Volunteerism Serve it UP! Cross-divisional Signature Service Day Community Service CSUCI Corps CSUCI CORPS

488 views • 13 slides
Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some

Profitable Service: Building Blocks of a Great Service Department Disclaimer Some information may be proprietary and therefore questions about it may not be answered Some information we may chose not to comment on for other reasons

397 views • 37 slides
EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE

EFFECTIVE NOTE-TAKING OVERVIEW Importance Strategies Note - taking apps FORGETTING CURVE Approximately 60 % information in class is forgotten after 9 hours Writing down notes increases active listening = better retention HIGH SCHOOL COLLEGE

367 views • 11 slides
Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based

Microservices in a Streaming World There are many good reasons for building service-based systems Loose Coupling Bounded Contexts Autonomy Ease of scaling Composability But when we do, were building a distributed system

1.96k views • 138 slides
The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi & Bruno Gaujal INRIA Aussois June, 2011 (INRIA ) 1 / 21 Introduction Goal of my talk : explore different types of routing policies (selfish/social, with/without memory) in a

312 views • 28 slides
Building NREN service for a WireFree world Maurice van den Akker Team Manager WireFree SURFnet

Building NREN service for a WireFree world Maurice van den Akker Team Manager WireFree SURFnet

Building NREN service for a WireFree world Maurice van den Akker Team Manager WireFree SURFnet Todays items Excellent WireFree: the new goal for NRENs Building a Wi-Fi/4G/eduroam service together with telcos: MoLAN

408 views • 18 slides
Resolution-Based Uniform Interpolation and Forgetting for Expressive Description Logics Patrick

Resolution-Based Uniform Interpolation and Forgetting for Expressive Description Logics Patrick

Resolution-Based Uniform Interpolation and Forgetting for Expressive Description Logics Resolution-Based Uniform Interpolation and Forgetting for Expressive Description Logics Patrick Koopmann December 12, 2017 1/60 Resolution-Based Uniform

1.07k views • 74 slides
SENDING AND FORGETTING: TERMINATION OF AMNESIAC FLOODING ON A GRAPH* WALTER HUSSAK AND AMITABH

SENDING AND FORGETTING: TERMINATION OF AMNESIAC FLOODING ON A GRAPH* WALTER HUSSAK AND AMITABH

SENDING AND FORGETTING: TERMINATION OF AMNESIAC FLOODING ON A GRAPH* WALTER HUSSAK AND AMITABH TREHAN LOUGHBOROUGH UNIVERSITY On the Termination of Flooding. STACS 2020 * * On Termination of a Flooding Process (Brief Announcement). PODC 2019

542 views • 38 slides
Counting Community Engagement Social Action Capacity Building Projects Service Internships

Counting Community Engagement Social Action Capacity Building Projects Service Internships

Counting Community Engagement Social Action Capacity Building Projects Service Internships Service Leadership Regular (Weekly) Service 1x Service Events Counting Community Engagement Count By Type Students Hours Social Action

481 views • 10 slides
A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang, Jianmin Wang Tsinghua University, China chenjun14@mails.tsinghua.edu.cn, {chaokun, jimwang}@tsinghua.edu.cn AAAI-15 28-Jan-15 1 Review on

366 views • 19 slides
Building capacity for excellence in service provision for people with disabilities Laura Jones

Building capacity for excellence in service provision for people with disabilities Laura Jones

European Platform for Rehabilitation (EPR) Building capacity for excellence in service provision for people with disabilities Laura Jones Secretary General Who we are Network of service providers committed to excellence and innovation

625 views • 18 slides
Source Code Are we not forgetting something? Guus Sliepen FOSDEM 2017 . . . . . . . . .

Source Code Are we not forgetting something? Guus Sliepen FOSDEM 2017 . . . . . . . . .

. . . . . . . . . . . . . . . . . Source Code Are we not forgetting something? Guus Sliepen FOSDEM 2017 . . . . . . . . . . . . . . . . . . . . . . . February 4, 2017 . . . . . . . . . . . .

1.96k views • 16 slides

More recommend