Application Security

Rafal ChruscielSenior Security Operations Analyst, F5 Networks

r.chrusciel@f5.com

Agenda

• Who are we?

• Anti-Fraud

• F5 Silverline DDOS protection

• WAFaaS

• Threat intelligence & malware research

• Publications

Who we are?

F5 SOC Organization

Vice-President

Managers

Customer Engagement Managers

Architects

DDOS Analysts

WAF Analysts

Anti-Fraud Analysts

Malware Analysts

Seattle Warsaw

Tel-Aviv

F5 SOC Milestones

• 2013• Versafe acquisition

• 2014• F5 WebSafe release

• Seattle SOC launch

• Defense.net acquisition

• F5 Silverline Volumetric DDoS release

• 2015• Warsaw SOC Launch

• F5 Silverline Web Application Firewall release

• 2017• F5 Silverline WAF Express release

• Delivering 3 SOC services 24x7x365 – Silverline DDoS mitigation, Silverline WAFaaS, Anti Fraud services

Anti-Fraud

Unlimited Expert Malware AnalysisAssess damage, understand attackers and resolve vulnerabilities

• Analyzes any malware submitted including that detected by F5 Web Fraud Protection solutions

• Investigates and reports on malware includingcomponents, attributes, target, controls, purpose, etc..

• Discovers indicators of compromise

• Identifies source and level of sophistication

• Helps prevent future malware attacks and eliminate risks associated with analyzing malware

• Includes C&C shutdown services, and WebSafe C&C drop zone investigation

Specialized researchers and

analyst at your service

Always available

24x7Malware Analysis

Team

BIG-IP Fraud Protection Service

Organization’s DMZ

Web

Application

Alert Server

Internet

Online Users

WebSafeComponentsVia F5 iRules

Cloud or on-premise

Internet

Phishing attacks

Malware detection

Citadel malware

External injections detection

Infected computers

Citadel – domain availability

F5 Silverline DDOS protection

F5 Silverline – proxy mode

F5 Silverline – routed mode

Volumetric attacks – real threat?

Mirai – DNS Water Torture

blabla.victim.comISP’S DNS SERVER

AUTHORITIVE DNS SERVER

AUTHORITIVE DNS SERVER

AUTHORITIVE DNS SERVER

Unresponsive

AUTHORITIVE DNS SERVER

IOT BOT Unresponsive

Unresponsive

Unresponsive

Mirai, Mirai, Mirai… Take the focusoff protocol attacks?

DDoS Future

ImgSource: http://vavatech.pl/technologie/mobilne/androidImgSource: http://www.business2community.com/big-data/internet-

things-iot-going-impact-business-01572401#EcT94ktBwj7BZPYh.97

Silverline WAFaaS

BIG-IP® Application Security Manager™

• Highest scaling & most flexible solution that provides transparent protection

from ever-changing threats

• Best DAST integration & virtual patching to reduce risks from vulnerabilities

• Deploys as a full proxy or transparent full proxy (bridge mode)

• Industries best BOT detection measures

• Secures against the OWASP top 10

BIG-IP Local Traffic Manager

BIG-IP Application Security Manager

Secure response delivered

Request made

BIG-IP ASM security policy checked

Server response generated

BIG-IP ASM applies security policy

Vulnerable application

Drop, block or forward

request

Application attack filtering &

inspection

SSL , TCP, HTTP DoS

mitigation

Response inspection for errors

and leakage of sensitive

information

BIG-IP ASM security policy checked

WAF as a Service

F5 security experts proactively monitor, and fine-tune policies to protect web applications and data from new and emerging threats.

• Expert policy setup

• Policy fine-tuning

• Proactive alert monitoring

• False positives tuning

• Detection tuning

• Whitelist / Blacklist Set up and monitoring

Availability & Support

Expert Policy Setup and Management

Active Threat Monitoring

F5 Security Operations Center

Effective Policy Management

Step 1: Deployment

Phase

Step 2:

Building Phase

Step 3:

Learning Phase

Step 4: Enforcement

Phase:

Step 5: Continual

Tuning

On Boarding Call is

scheduled

Set up an account

Agree to an

implementation plan

Create a proxy

environment for the

application

Analyze your applications

Live traffic feeds ASM

policy builder

SOC tunes policies based

on resolutions of WAF

Violation Logs

Virtual Patching via

VA/DAST scans

Enforcement call

scheduled between

customer and SOC

Maintenance window is

established

Monitoring for False

positives

Follow call scheduled to

obtain customer sign off

Continual tuning based

on WAF Violation Logs

Resolution

Periodic calls with

customer

Repeat Steps 2-5 as

changes are made to the

application

Create and enable

baseline policy for basic

top security threats

SOC analyzes app for

security tuning per

customer specifications

WAFaaS – proxy mode

24x7 service, expert policy tuning

Web Scraping protection

Silverline WAF Express

• Predefined policies for different technologies

• Whitelisting available

• Low number of false-positives

• F5 SOC expertise during deployment phase

Threat Intelligence & Malware Research

F5 Threat Monitor

Fraud Targets

C&C Servers

Mobile Trojans

Phishing Sites

Threat Intelligence Statistics

Publications

F5 Newsroom

https://f5.com/labs

Solutions for an application world.

r.chrusciel@f5.com