© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dean SamuelsManager, Solutions Architecture

Hong Kong & Taiwan

19th January 2016

Security Automation Using AWS WAF:Spend Less Time Securing Your Applications

What to expect from this session

Introduction to AWS WAF

AWS WAF 101

What to expect from this session

Introduction to AWS WAF

AWS WAF security automation strategies

AWS WAF 101

What to expect from this session

Introduction to AWS WAF

AWS WAF security automation strategies

AWS WAF 101

5 automation strategies

1. Provisioning WAF

2. Deploying WAF

3. Importing rules

4. Automated incident response

5. Learning-based protections

What to expect from this session

AWS WAF security automation strategies

AWS WAF 101

Demo and getting started

Introduction to AWS WAF

What is AWS WAF

AWS WAF 101

What is AWS WAF

Why AWS WAF?

Application vulnerabilities

Good users

Bad guys

Web server Database

Exploit code AWS

WAF

Why AWS WAF?

Content abuse: Bots and scrapers

Good users

Bad guys

Web server Database

AWSWAF

Why AWS WAF?

Application DDOS

Good users

Bad guys

Web serverDatabase

AWSWAF

AWS WAF: Rules in action

Monitor security events

AWS WAF: Integrated with AWS

Amazon CloudFrontGlobal content delivery network to accelerate

websites, API, video content, and other web assets

AWS WAF: Integrated with AWS

Amazon CloudFront Application Load BalancerLoad balancer with advanced request routing, and support for microservices and container-based

applications

Global content delivery network to accelerate websites, API, video content, and other web assets

Announcing today..

What to expect from this session

Introduction to AWS WAF

AWS WAF security automation strategies

AWS WAF 101

Demo and getting started

Why security automation

Spend less time securing your applications Instead, focus on building applications

We built a WAF that has…

Customizable and flexible rules

APIs: Integration with DevOps

…allowing several WAF automation strategies

Quick rule update

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Automated incident response

Learning-based protections

… to spend less time securing applications

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Automated incident response

Learning-based protections

Provisioning AWS WAF

Step 1 – Create web ACL

Provisioning AWS WAF

Rule 1: Whitelist [ALLOW]

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection [BLOCK]

Step 1 – Create web ACL

Step 2 – Add rule

Provisioning AWS WAF

IP whitelist

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP blacklistRule 2: Blacklist [BLOCK]

Rule 3: Common protection [BLOCK]

Step 1 – Create web ACL

Step 2 – Add rule Step 3: Add condition

Provisioning AWS WAF

IP Whitelist

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP BlacklistRule 2: Blacklist [BLOCK]

Rule 3: Common protection [BLOCK]

Step 1 – Create web ACL

Step 2 – Add rule Step 3: Add conditionStep 4:

Associate

Amazon CloudFront

ALB

Provisioning AWS WAF: Reuse

Spend less time by reusing WAF rules

Provisioning AWS WAF: Reuse

IP whitelist internal IP

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP blacklist known bad

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection #1 [BLOCK]

Web ACL #1

ALB 1(dev env)

Rule 4: Common protection #2 [BLOCK]XSS match

Web ACL #2ALB 2(prod env)

Spend less time by reusing WAF rules

Provisioning AWS WAF: Reuse

IP whitelist internal IP

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP blacklist known bad

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection #1 [BLOCK]

Web ACL #1

ALB 1(dev env)

Rule 4: Common protection #2 [BLOCK]XSS match

Web ACL #2ALB 2(prod env)

Spend less time by reusing WAF rules

ALB 3(new app)

Provisioning AWS WAF

Quickly fix vulnerabilities

Example: {CVE-2016-538}• Server-side web applications that utilize the HTTP_Proxy header as an environment

variable• Attacker could intercept connections between a client and server.

Quick solution: Use AWS WAF to configure a rule to detect and block web requests that contain a proxy header.

Provisioning AWS WAF

IP whitelist internal IP

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP blacklist known bad

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection #1 [BLOCK]

Web ACL #1

ALB 1(dev env)

Rule 4: Common protection #2 [BLOCK]XSS match

Web ACL #2ALB 2(prod env)

Spend less time by reusing WAF rules

ALB 3(new app)

Provisioning AWS WAF

IP whitelist internal IP

SQL injection

URL match

Rule 1: Whitelist [ALLOW]

IP blacklist known bad

Rule 2: Blacklist [BLOCK]

Rule 3: Common protection #1 [BLOCK]

Web ACL #1

ALB 1(dev env)

Rule 4: Common protection #2 [BLOCK]XSS match

Web ACL #2ALB 2(prod env)

Spend less time by reusing WAF rules

ALB 3(new app)

Rule 5: CVE-2016-538 [BLOCK] Header match

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Automated incident response

Learning-based protections

Configuring AWS WAF rules

Preconfigured AWS CloudFormation templates for common protection

CloudFormation template

AWS WAF Configuration

Configuring AWS WAF: Common protection

Enable common protections

SQL injection

Cross-site scripting

Preconfigured protections: Customer example

Need quick setup and common protections like SQLi, XSS

“Overall, the entire stack so far has been extremely helpful. I truly would say that this stack should almost be a standard built-in for anyone looking to use WAF as I

cannot begin to tell you how useful and truly effective it is.”

Award winning Health & Beauty eTailer

Configuring AWS WAF: Common protection

Demo

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Automated incident response

Learning-based protections

Importing AWS WAF rules

Import open source IP reputation lists

Importing AWS WAF rules

Open source IP reputation lists

Importing AWS WAF rules

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Automated incident response

Learning-based protections

Why security automation

Traditional incident response

Good users

Bad guys

Server

AWS WAF

Logs

Threatanalysis

Notification

Security engineer

Why security automation

Automated incident response

Good users

Bad guys

Server

AWS WAF

Logs

Threatanalysis

Rule updater

Notification

Security engineer

Security automation: Use cases

HTTP floods Scans and probes

Attackers

Use cases that static rules cannot protect effectively

Automated incident response: Customer example

MapBox uses WAF to protect from bots

Good users

Bad guys

Server

AWS WAF

Logs

Threatanalysis

Rule updater

AWS WAF security automation strategies

Provisioning WAF Configuring rules Importing rules Security Automation Learning-based protections

What is machine learning

Machine learning is the technology that automatically finds patterns in your data and uses them to make predictions for new data points as they become available

Your data + machine learning = smart applications

Amazon Machine Learning

Easy-to-use, managed machine learning service built for developers

Robust, powerful machine learning technology based on Amazon’s internal systems

Create models using your data already stored in the AWS Cloud

Deploy models to production in seconds

AWS WAF with Amazon Machine Learning

A PoC on learning-based WAF

AWS WAF with Amazon Machine Learning

The problem: Detect requests from domain generation algorithms

Solution: Use referrer header to detect bad domains visiting my website based on machine learning

AWS WAF with Amazon Machine Learning

1. Data preparation – Feature engineering

2. Train model based on known good and bad domains

3. Evaluate using real data

AWS WAF with Amazon Machine Learning

1. Data preparation – Feature engineering

AWS WAF with Amazon Machine Learning

2. Train model based on known good and bad domains

Good domains: Alexa 10,000

Bad domains: Known phishing domains

AWS WAF with Amazon Machine Learning

3. Evaluate using real data

Use raw logs from CloudFront logs

#Version: 1.0 #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version 2014-05-23 01:13:11 FRA2 182 192.0.2.10 GET d111111abcdef8.cloudfront.net /view/my/file.html 200 www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC) - zip=98101 RefreshHit MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE== d111111abcdef8.cloudfront.net http - 0.001 - - - RefreshHit HTTP/1.1 2014-05-23 01:13:12 LAX1 2390282 192.0.2.202 GET d111111abcdef8.cloudfront.net /soundtrack/happy.mp3 304 www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1) a=b&c=d zip=50158 Hit xGN7KWpVEmB9Dp7ctcVFQC4E-nrcOcEKS3QyAez--06dV7TEXAMPLE== d111111abcdef8.cloudfront.net http - 0.002 - - - Hit HTTP/1.1

AWS WAF with Amazon Machine Learning

AWS WAF with Amazon Machine Learning

Demo

AWS WAF with Amazon Machine Learning

Category Result

Accuracy 98%

Recall true positive rate 78%

False positive rate 1%

True negative rate 99%

How good is our machine learning model

Summary

Spend less time securing your applications Instead, focus on building applications

Provisioning WAF

Reuse rules

Configuring rules

Configure common protections in minutes using CloudFormation

templates

Importing rules

Automated reputation list from external

sources

Automated incident response

Advanced application-specific

firewall rules

Learning-based protections

Smart adaptive protections using

Amazon ML

Remember to complete your evaluations!

Thank you!

Get started with AWS WAF: https://console.aws.amazon.com/waf