WHY LEGACY SECURITY SYSTEMS ARE FAILING
Nathan Pearce - @F5NetworksEMEAProduct ManagerEurope, Middle East & Africa
2© F5 Networks, Inc.
• MI5 fighting ‘astonishing’ levels of cyber attacks
• “Most senior managers don’t know where their data is”, Varonis
• “Trust No One”, Fox Mulder, The X-Files
Know thine enemy
3© F5 Networks, Inc.
Unknown Vulnerabilities in Web Apps
Web Application
Vulnerabilitiesas a percentage
of all disclosuresin 2011 H1
• Unable to find or mitigate vulnerabilities
• Very expensive to fix by recoding
• Difficult to include scanner assessments
• Need assurance that app sec. is deployed properly
Source: 1BM X-Force Research and Development
Web Applications: 37 percent
Others: 63 percent
4© F5 Networks, Inc.
Cyber-attacks in the News for 2011
IBM X-Force 2011 Trend and Risk Report March 2012
5© F5 Networks, Inc.
The two faces of hacking
IEEE Spectrumspectrum.ieee.org
6© F5 Networks, Inc.
Attacks Are Moving “Up the Stack”Network Threats Application Threats
90% of securityinvestment focused here
75% of attacks focused here
L3 Security DDOS, packet filters, IP protocol validation, fragmentation, checksum, lengths, etc.
L4 Security TCP protocol validation, lengths, checksum , TCP DOS attacks, etc.
L5/7 Security Protocol level security of DNS, HTTP, SMTP, SIP etc.OWASP Top 10
7© F5 Networks, Inc.
OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
Protection From Top Web App. Vulnerabilities(Open Web Application Security Project)
Source: www.owasp.org
8© F5 Networks, Inc.
• Yes
• Its easy
• With free on-line lessons…
Can I be a hacker?
9© F5 Networks, Inc.
How Long to Resolve a Vulnerability?
Website Security Statistics Report
10© F5 Networks, Inc.
People. Applications. Data.Application and service delivery
Data center consolidationGARTNER: 88% of CIOs rate cloud computing a priority in the next 18 months
GARTNER: 70% of IT organizations prefer to deploy servers virtually rather than on hardware
11© F5 Networks, Inc.
Protect Applications from ThreatsAdaptive and unique attack protection
Gain visibilityinto application sessions
Understand session context and apply policy
Take actionand mitigate offending clients
12© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community
13© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community
14© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community
15© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community
16© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community
17© F5 Networks, Inc.
Key Ingredients to Better Security
Scalable
Extensible and Adaptable
Context Awareness
Unified Security Platform
Engaged Community TMOS TMOS
AVAILABLE
SECURE
FAST
AVAILABLE
SECURE
FAST
18© F5 Networks, Inc.
devcentral.f5.com
facebook.com/f5networksinc
linkedin.com/companies/f5-networks
twitter.com/f5networks
youtube.com/f5networksinc