Podcasts about Web application firewall

HTTP specific network security system

  • 39PODCASTS
  • 45EPISODES
  • 39mAVG DURATION
  • ?INFREQUENT EPISODES
  • Feb 3, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about Web application firewall

Latest podcast episodes about Web application firewall

The Azure Podcast
Episode 512 - WAF and WARA on the Azure Podcast

The Azure Podcast

Play Episode Listen Later Feb 3, 2025


Senthuran Sivananthan comes on the show to talk about the Well-Architected Framework (WAF) and Well Architected Resiliency Review (WARA).   Media file: https://azpodcast.blob.core.windows.net/episodes/Episode512.mp3 YouTube: https://youtu.be/xTxG7X9RoWQ   Resources: Azure Pricing Calculator Azure Architecture Review Web Application Firewall Other Updates: Retirement of Azure Automation's Powershell runbooks using AzureRM modules TLS1.0/1.1 retirement for Azure Automation Customer Managed Unplanned Failover for ADLS and Storage+SFTP

The CyberWire
Cracking down on spyware.

The CyberWire

Play Episode Listen Later Feb 6, 2024 33:36


The global community confronts spyware. Canon patches critical vulnerabilities in printers. Barracuda recommends mitigations for Web Application Firewall issues. Group-IB warns of ResumeLooters. Millions are at risk after a data breach in France. Research from the UK reveals contradictory approaches to cybersecurity. Meta's Oversight Board recommends updates to Facebook's Manipulated Media policy. We've got a special segment from the Threat Vector podcast examining Ivanti's Connect Secure and Policy Secure products. And it's time to brush up on IOT security.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In a special segment from Palo Alto Networks' Threat Vector podcast, host David Moulton, Director of Thought Leadership at Unit 42, along with guests Sam Rubin, VP, Global Head of Operations, and Ingrid Parker, Senior Manager of the Intel Response Unit, dives deep into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products. You can check out the full conversation here.  Selected Reading US to restrict visas for those who misuse commercial spyware (Reuters) Britain and France assemble diplomats for international agreement on spyware (The Record) Israeli government absent from London spyware conference and pledge (The Record) Government hackers targeted iPhones owners with zero-days, Google says (TechCrunch) Google agrees to pay $350 million settlement in security lapse case (Washington Post) Canon Patches 7 Critical Vulnerabilities in Small Office Printers  (SecurityWeek) Barracuda Disclosed Critical Vulnerabilities in WAF, Affecting File Upload and JSON Protection (SOCRadar) ResumeLooters target job search sites in extensive data heist (Help Net Security) Millions at risk of fraud after massive health data hack in France (The Connexion) Fragmented cybersecurity vendor landscape is exacerbating risks and compounding skills shortages, SenseOn research reveals (IT Security Guru) Meta's Oversight Board Urges a Policy Change After a Fake Biden Video (InfoSecurity Magazine) Toothbrushes are a cybersecurity risk, too: millions participate in DDoS attacks (Cybernews) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Whiskey Web and Whatnot
A Deep Dive into Managed DNS with Jeff Cronstrom

Whiskey Web and Whatnot

Play Episode Listen Later Feb 6, 2024 56:36


Join hosts RobbieTheWagner and Charles William Carpenter III as they welcome Jeff Cronstrom, a DNS specialist with experience dating back to the 90s and the founder of CloudfloorDNS. In this episode, they dig into the ins and outs of managed DNS, the benefits it provides, and the distinguishing features of CloudfloorDNS. The hosts also engage in lively discussions about technology, touching on various topics such as PHP, Python, DevOps, and the role of DNS in web development. Alongside the tech talk, the episode features a whiskey tasting session with Fort Hamilton rye whiskey. Key Takeaways [01:45] - Whiskey Tasting and Discussion [11:00] - Hot Takes on Tech Topics [27:07] - Deep Dive into CloudFloorDNS [31:41] - Web Application Firewall and Cloudflare [32:02] - Domain Registrations and DNS [32:27] - Google's Shift from Domain Registration [33:53] - Roles in Tech: Network Engineer, System Administrator, and More [35:32] - The Rise of DevOps and DevSecOps [36:28] - The Importance of Security in Development [36:59] - Patch Tuesdays and Software Updates [39:05] - The Syntax Podcast and Sentry.io [39:49] - The Microsoft Debate [42:59] - Boating and Fishing Adventures [48:50] - The Phoenix Lights Mystery [52:11] - Homemade Drink Smoker and Carpentry Skills [54:02] - The Simulation Theory and Solar Flares [53:30] - Choose Your Own Adventure Website Idea [55:30] - Closing Remarks and CloudfloorDNS Plug Links Jeff Cronstrom Twitter Jeff Cronstrom LinkedIn CloudfloorDNS Connect with our hosts Robbie Wagner Chuck Carpenter Subscribe and stay in touch Apple Podcasts Spotify Google Podcasts Whiskey Web and Whatnot Whiskey Web and Whatnot Merch Enjoying the podcast and want us to make more? Help support us by picking up some of our fresh merch at https://whiskey.fund/⁠. --- Send in a voice message: https://podcasters.spotify.com/pod/show/whiskey-web-and-whatnot/message

Microsoft Cloud IT Pro Podcast
Episode 362 – The Flustration of Microsoft Ignite

Microsoft Cloud IT Pro Podcast

Play Episode Listen Later Nov 30, 2023 46:15 Transcription Available


In Episode 362, Ben and Scott get sidetracked with some of the announcements coming out of Microsoft Ignite. It's also the season of giving and we're raising money for Girls Who Code. Donate today at https://give.girlswhocode.com/msclouditpro! Like what you hear and want to support the show? Check out our membership options. Show Notes Microsoft Ignite 2023: AI transformation and the technology driving change Microsoft Ignite 2023: all the AI news from Microsoft's IT pro event Reduce Compute Costs by Pausing VMs (now in public preview) ​What's new and what's next with Azure IaaS | BRK245H What is rate limiting for Web Application Firewall on Application Gateway? Attach or detach a Virtual Machine to or from a Virtual Machine Scale Set The new Microsoft Planner: A unified experience bringing together to-dos, tasks, plans and projects Introducing SharePoint Premium – the future of AI powered content management and experiences About the sponsors Intelligink utilizes their skill and passion for the Microsoft cloud to empower their customers with the freedom to focus on their core business. They partner with them to implement and administer their cloud technology deployments and solutions. Visit Intelligink.com for more info.

Oracle University Podcast
Best of 2023: Multicloud is the Way to Go

Oracle University Podcast

Play Episode Listen Later Nov 21, 2023 16:07


Sergio Castro joins Lois Houston and Nikita Abraham to explore multicloud, some of its use cases, and the reasons why many businesses are embracing this strategy.   A-Team Chronicles: https://www.ateam-oracle.com/ Oracle University Blog: https://blogs.oracle.com/oracleuniversity/ Oracle MyLearn: https://mylearn.oracle.com/ Oracle University Learning Community: https://education.oracle.com/ou-community X (formerly Twitter): https://twitter.com/Oracle_Edu LinkedIn: https://www.linkedin.com/showcase/oracle-university/   Special thanks to Arijit Ghosh, David Wright, the OU Podcast Team, and the OU Studio Team for helping us create this episode.   --------------------------------------------------------   Episode Transcript:   00:00 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we'll bring you foundational training on the most popular Oracle technologies. Let's get started. 00:26 Nikita: Welcome to the Oracle University Podcast! I'm Nikita Abraham, Principal Technical Editor with Oracle University, and with me is Lois Houston, Director of Innovation Programs. Lois: Hi there! If you've been following along with us, you'll know we just completed our first three seasons of the Oracle University Podcast. We've had such a great time exploring OCI, Data Management, and Cloud Applications business processes. And we've had some pretty awesome special guests, too. 00:56 Nikita: Yeah, it's been so great having them on and so educational so do check out those episodes if you missed any of them.  Lois: As we close out the year, we thought this would be a good time to revisit some of our most popular episodes with you. Over the next few weeks, you'll be able to listen to six of our most popular episodes from this year.  Nikita: Right, this is the best of the best–according to you–our listeners.   01:20 Lois: Today's episode is #1 of 6 and is a throwback to a discussion with our Principal OCI Instructor Sergio Castro on multi-cloud. Keep in mind that this chat took place before the release of Oracle University's course and certification on multi-cloud. It's available now on mylearn.oracle.com so if it interests you, you should go check it out. Nikita: We began by asking Sergio to help us with the basics and explain what multi-cloud is. So, let's dive right in. Here we go! 01:51 Sergio: Good question. So multi-cloud is leveraging the best offering of two or more cloud service providers. This as a strategy for an IT solution. And Oracle embraces multi-cloud. This strategy was clearly communicated during Open World in Las Vegas last year. We even had demos where OCI presenters opened the cloud Graphic User Interface of other providers during our live sessions. So the concise answer to the question is multi-cloud is two or more cloud vendors providing a consolidated solution to a customer.  02:29 Nikita: So, would an example of this be when a customer uses OCI and Azure? Sergio: Absolutely. Yes, exactly. That's what it is. We can say that our official multi-cloud approach started with the interconnect agreement with Azure. But customers, they have already been leveraging our FastConnect partners for interconnecting with other cloud providers. The interconnect agreement with Azure just made it easier. Oracle tools such as Oracle Integration and Golden Gate have been multi-cloud ready even prior to our official announcement. And if you look at the Oracle's document... the documents from Oracle, you can find VPN access to other cloud providers, but we can talk about that shortly. 03:16 Nikita: OK. So, why would organizations use a multi-cloud strategy? What do they gain by doing that? Sergio: Oh, there are many reasons why organizations might want to use a multi-cloud strategy. For example, a customer might want to have vendor redundancy. Having the application running with one vendor and having the other vendor just stand by in case something goes wrong with that cloud provider. So it is best practices not to rely on just one cloud service provider. Another customer might want to have the application with one tier or the application tier with one cloud provider and their database tier with another cloud provider. 03:53 Sergio: So this is a solution leveraging the best to cloud providers. Another company or another reason might be a company acquired another one, you know purchasing a second company, and they have different cloud providers and they just want to integrate their cloud resources. So every single cloud provider offer unique solutions and customers want to leverage these strong points. For example, we all know that AWS was the first infrastructure access service provider, and the industry adopted them. Then other players came along like OCI and customers realized that there are better and less expensive options that now they can take advantage of. So cloud migration is another reason why multi-cloud interconnectivity is needed. 04:42 Lois: Wow! There really are a lot of different use cases for multi-cloud. Sergio: Yeah, absolutely. There is, Lois. So Golden Gate, for example, this is an Oracle product. Oracle Golden Gate allows replication from two different databases. So if a customer wants to replicate the Oracle Database in OCI, in Oracle Cloud Infrastructure, to a SQL server in Azure, this is possible. And now there's an OCI to Azure interconnect (live) and it can facilitate this, this database replication. And if a start-up needs to communicate OCI to Google Cloud Platform, for example, but a digital circuit is not economically viable, then we have published step-by-step configuration instructions for site-to-site VPN, and this includes all the steps on the Google Cloud Platform as well. So these are some of the different use cases. 05:37 Lois: So, what should you keep in mind when you're designing a multi-cloud solution? Sergio: The first thing that comes to mind is business continuity. It is very important to have High Availability and Disaster Recovery strategies. This to keep the lights on and focus on the organization's current technology, the organization's current needs, the company's vision, and the offering from the cloud service providers out there. The current offerings that each cloud service provider brings to this company. For example, if an organization's on-premises, current deployment consists of Microsoft applications and Oracle Databases, and they want to use as much as they can of their current knowledge base that their staff has acquired through the years, it only makes sense to take the apps to Azure and the database to Oracle Cloud Infrastructure and either leverage ODSA, Oracle Database Solution for Azure, or our OCI-Azure interconnect regions. We have 12 of those. 06:39 Sergio: So ODSA was designed with Azure cloud architects in mind. The Oracle Database solution for Azure. For each database provision using ODSA, the service delivers OCI database metrics, OCI events, and OCI logs to tools such as Azure Application Insights, Azure Event Grid, and Azure Log Analytics. But the concise key points to keep in mind are latency, security, data movement, orchestration, and operation management. 07:10 Nikita: So, latency... security... Can you tell us a little bit more about these? Sergio: Yes, latency is crucial. If an application needs, let's say X milliseconds, 3 milliseconds response time, the multi-cloud solution better meet these needs. We recently published a blog post where we released the millisecond response of our 12 interconnect sites to Azure and OCI. We have 12 interconnect sites of Azure regions to 12 regions from OCI. Now, regarding security, in Oracle, we pride ourselves for being a security company. Security is at our core of who we are and we have taken this approach to multi-cloud. This for encryption of data at rest, encryption of data in transit, masking the data in the database, security key management, patching service, Identity and Access Management, Web Application Firewall. All of these solutions from Oracle are very well suited for multi-cloud approach. 08:17 Lois: OK, what about data movement, orchestration and operation management? You mentioned those. Sergio: I mentioned Golden Gate earlier. So you can use this awesome tool for replication. You can also use this for migration. But data movement is much more than replication, like real live transactions taking place and backup strategies. We have options for all of this. Our object storage, our bulky regions backup strategies. Now for orchestration, the Oracle API Gateway avoids vendor lock-in and enables you to publish APIs with private endpoints that are accessible from within your network and which you can expose with a public IP address. This in case you want to accept traffic from the internet. 09:07 Nikita: Ah, that makes sense. Thanks for explaining those, Sergio. Now, what multi-cloud services does OCI have? Sergio: So I already mentioned a few like ODSA, the Oracle Database Solution for Azure. So, this is where Azure customers can easily provision, access, and operate an Oracle Database enterprise-grade and the Oracle Cloud Infrastructure with a familiar Azure-like experience. ODSA was jointly announced back in July 2022 by our CTO Larry Ellison and Microsoft's Satya Nadella. He's the CEO. This was last year. And we also announced the MySQL Heatwave, which is available on AWS. This solution offers online transactional processing analytics, machine learning, and automation with a single, MySQL database. So OCI multi-cloud approach started when the OCI regions interconnected via FastConnect to Azure regions Express Route. This was back in June of 2019.  10:12 Sergio: Other products for multi-cloud include OCI integration services, OCI Golden Gate, the Oracle API Gateway, Observability and Management, and Oracle Data Sync to name a few. Nikita: So we've been working in multi-cloud services since 2019. Interesting.  Lois: It really is. Sergio, can you tell us a little bit about the type of organizations that can benefit from multi-cloud? 10:36 Sergio: Absolutely. My pleasure. So organizations of all sizes and of all industries can benefit from multi-cloud, from start-ups to companies in the top 100 of the Forbes list and from every corner of the world, you name it, every corner of the world. So it's available worldwide for customers, the Oracle customers. There are also customers, and we know this of other providers. So in terms of cloud, it's to the customers' benefit that cloud service providers have a multi-cloud strategy. In OCI , OCI has been a pioneer in multi-cloud. It was in 2019 when the FastConnect to Express Route partnership was announced. And Site-to-Site VPN is also available to all three of our major cloud competitors. So the beauty of the last word, cloud competitors, is that indeed they are our competitors and we try to win businesses away from them. 11:29 Sergio: But at the same time, our customers demand the ability for cloud providers to work with each other and our customers are right. And for this reason, we embrace multi-cloud. Recently, the federal government announced that they selected four cloud providers: OCI, AWS, Azure, and Google Cloud Platform. And also, Uber announced a major deal with OCI and Google Cloud Platform. So these customers, they want us to work together. So multi-cloud is a way to go, strategy and we want to make our customers happy. So we will operate and work with these cloud providers, service providers. 12:09 Nikita: That's really great. So a customer can take advantage of the benefits of OCI, even if they have other services running on another cloud provider. Now if I wanted to become a multi-cloud developer or a cloud architect, how would I go about getting started? Is there a certification I can get? Sergio: Absolutely. Excellent question. I love this question. So this depends on where you are in your cloud journey. If you are already a cloud knowledgeable engineer with either AWS or Azure, you can start with our OCI for Azure Architect and OCI for AWS Architect. We have courses for both. And if you are just getting started with cloud and you want to learn OCI, you can start with our OCI Foundations as the path to OCI and as you progress along, we have OCI Architect Associate, we have OCI Architect Professional. So there's a clear path, but if you have a specialty like a developer's or operations or multi-cloud certification, so we have all of this for you. And regarding the OCI Architect Professional certification, it contains in the learning path a lesson and a demo on how to interconnect OCI and Azure from the ground up. 13:23 Lois: And all of this training is available for free on mylearn.oracle.com, right? Sergio: Yes, that is correct, Lois. Just visit the site, mylearn.oracle.com, and create an account. The site keeps track of your learning progress and you can always come back and continue from where you left off, at your own speed. 13:42 Lois: That's great. And what if I don't want to get certified right now? Sergio: Of course, you do not have to be pursuing a certification to gain access to the training in MyLearn. If you are only interested in the OCI to Azure interconnection lesson, for example, you can go right to that course in MyLearn, bypassing all the other material. Just watch that lesson. If you're interested, follow along with the demo on your own environments. 14:09 Nikita: So you can take as much or as little training as you want. That's wonderful. Sergio: Absolutely it is. And with regards to other OCI products that are great for multi-cloud, our API Gateway is greatly covered in our OCI Developer Professional certification. The awesome news that I'm bringing to you right now is that soon Oracle University will release a new OCI multi-cloud certification. This is going to be accompanied by with the learning path and the multi-cloud certification, this is what I'm currently at this moment working on. We are designing the material. We are having fun right now doing the labs, and shortly, we will write the test questions.  14:51 Lois: That's great news. You know I love to share a sneak peek at new training we're working on. Thank you so much, Sergio, for giving us your time today. This was really insightful. Sergio: On the contrary, thank you. And thanks to everyone who's listening. I encourage you to go ahead and link your multiple cloud accounts and if you have questions, feel free to reach out. You can find me in the Oracle University Learning Community. 15:15 Nikita: We hope you enjoyed that conversation. And like we were saying before, the multi-cloud course has been released and has quickly become one of our most sought-after certifications. So, if you want to access the multi-cloud course, visit mylearn.oracle.com. Lois: Join us next week for another throwback episode. Until then, this is Lois Houston… Nikita: And Nikita Abraham, signing off! 15:39 That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.

Security Unfiltered
Taking a Tech Memory Lane Walk with Trey Guinn from Cloudflare

Security Unfiltered

Play Episode Listen Later Nov 6, 2023 56:27 Transcription Available


Are you ready to have your technological horizons broadened? We've got Trey Guinn, an expert from Cloudflare, here to give you a grand tour of his tech journey. He'll take you from his humble beginnings building computers at the mall, through his time working in data centers in New Zealand, all the way to his current position at Cloudflare, a globally trusted Web Application Firewall solution provider.   Do you ever feel like you're running to catch up with the rapid pace of technology? Trey shares his insights on everything from the rise of Linux to the development of TCP IP for Windows NT. He offers an insider's perspective on keeping up with the latest tech trends, emphasizing the importance of curiosity and a genuine desire to understand how things work. If you've ever wondered about the different approaches to problem-solving across cultures, Trey's experiences in Amsterdam and New Jersey will be an eye-opening exploration of diverse tech landscapes.  Got questions about anycast networks and DDoS attacks? Trey's got answers. He breaks down how companies like Cloudflare utilize cutting-edge technologies to protect against large scale DDoS attacks. This episode doesn't just stop at the technical aspects of the matter, but also provides a comprehensive overview of the evolution of Cloudflare's services over the past decade. So, whether you're a tech enthusiast or a professional, this conversation with Trey is sure to leave you with valuable insights and a richer understanding of the technological world. So join us, and let's take a fascinating walk down the tech memory lane with Trey Guinn!CloudFlare A leading internet security and content delivery network provider, safeguarding websites worldwideDisclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showAffiliate Links:NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902 Follow the Podcast on Social Media!Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcastPatreon: https://www.patreon.com/SecurityUnfilteredPodcastYouTube: https://www.youtube.com/@securityunfilteredpodcastTikTok: Not today China! Not today

The Irish Tech News Podcast
Code runs the world Kunal Anand CISO/ CTO Imperva

The Irish Tech News Podcast

Play Episode Listen Later Aug 8, 2023 66:16


Recently Ronan got to chat with Kunal Anand the CISO/ CTO at Imperva, a leading provider of data and application security solutions with Database Security, Web Application Firewall, DDoS Protection, Bot Protection. Kunal talks about his background, innovation, short term disruption, AI, empathy, transhumanism and more.  More about Kunal Anand: Kunal Anand is the is the CISO/ CTO at Imperva and also the co-founder and CTO of Prevoty, a next-generation web application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company's global Digital Entertainment and Gaming initiatives.  Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA's Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty's core products.

The Azure Security Podcast
Episode 80: Microsoft Incident Response

The Azure Security Podcast

Play Episode Listen Later Jul 14, 2023 33:53


In this episode Michael and Sarah talk with guest Matt Zorich from the Microsoft Incident Response team. We also cover the latest Azure security news about Azure's Web Application Firewall and Azure Monitor RBAC.

microsoft azure incident response web application firewall
Cybersecurity Podcast
Ep. 11 - Web Application Firewall (WAF)

Cybersecurity Podcast

Play Episode Listen Later Mar 27, 2023 16:29


Siamo arrivati a parlare di Web Application Firewalls!Visto il grande incremento d'utilizzo d'attacchi su servizi pubblicati ho pensato di fare un deep dive su questo strumento di sicurezza!In questo episodio scopriremo come funzionano le varie configurazioni di WAF (Web Application Firewall), inoltre capiremo quali sono i suoi punti di forza e debolezza sia dal punto di vista tecnico che economico in quanto anche questo fattore viene sempre valutato nella sua implementazione (sopratutto in cloud).Ma tranquilli, in pieno stile Cybersecurity Podcast vi spiegherò anche come evaderlo al meglio!!!Seguitemi su Spotify, Itunes, Linkedin ed instagram "@nick.soc" per restare aggiornati sulle nuove pubblicazioni!

High Tech Freedom
84 - Leverage your product management team for success by Marissa Schmidt

High Tech Freedom

Play Episode Listen Later Mar 8, 2023 21:35


Marissa Schmidt has a long track record of product management and product management leadership with companies like Bay Networks, Nortel, and Citrix.   We get into how top sales professionals engage and leverage the product management team to accelerate and grow sales.    She has relentless optimism while balancing what's right for the business and being customer-oriented. She has a strong work ethic and the ability to work with cross functional teams. Her specialties in the Product Line Management field are relationship building with partners and customers, data networking - Ethernet switching, routing and load balancing (Application Delivery Controller market) and Web Application Firewall. You can connect with Marissa through linkedin: linkedin.com/in/marissaschmidt   Enter our monthly drawing for an insulated High Tech Freedom tumbler - www.hightechfreedom.com/mug   Book a 15 minute call with Chris.  15 Minute Call With Chris Freeman - Chris Freeman calendly.com   Host Contact Information - Chris Freeman LinkedIn - http://linkedin.com/in/chrisfreeman Facebook - https://www.facebook.com/chris.freeman.9461

Unofficial SAP on Azure podcast
#122 - The one with Ransomware and Back to Business (Sebastian Ullrich & Martin Steiner) | SAP on Azure Video Podcast

Unofficial SAP on Azure podcast

Play Episode Listen Later Dec 9, 2022 60:37


In episode 122 of our SAP on Azure video podcast we talk about SAP Private Link with Web Application Firewall, Automatic renewal of certificates using Azure Key Vault and Logic Apps and Solution Diagrams and icons for SAP Business Technology Platform. Then Martin Steiner and Sebastian Ullrich join us to talk about security. If you do a Google search or just look at the news, then unfortunately we hear more and more often that customers are impacted by security related incidents. So it is not a matter of if, but *when* you will be attacked. With this in mind, the question is how can you best prepare for such an "event" and what can you do to get "back to business". https://www.saponazurepodcast.de/episode122 Reach out to us for any feedback / questions: * Robert Boban: https://www.linkedin.com/in/rboban/ * Goran Condric: https://www.linkedin.com/in/gorancondric/ * Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/ #SAPonAzure

Hacking Humans
Web Application Firewall (noun) [Word Notes]

Hacking Humans

Play Episode Listen Later Nov 29, 2022 8:44


A layer seven firewall designed to block threats at the application layer of the open system interconnection model, the OSI model.  CyberWire Glossary link: https://thecyberwire.com/glossary/web-application-firewall Audio reference link: “VCF East 9.1 - Ches' Computer Security Adventures - Bill Cheswick.” YouTube, 29 Dec. 2015, https://youtu.be/trR1cuBtcPs. 

firewalls noun ches osi web applications web application firewall vcf east
The Azure Security Podcast
Workload Identities

The Azure Security Podcast

Play Episode Listen Later Nov 11, 2022 31:57


In this episode Michael, Sarah and Mark talk with guest Joey Snow about Workload Identities in Azure. We also chat about least privilege and privileged accounts in general. Finally, the latest Azure Security news about: Azure Front Door, Log Analytics, Web Application Firewall and AKS SSH keys.

identities azure workload web application firewall
Word Notes
Web Application Firewall (noun)

Word Notes

Play Episode Listen Later Nov 8, 2022 8:44


A layer seven firewall designed to block threats at the application layer of the open system interconnection model, the OSI model.  CyberWire Glossary link: https://thecyberwire.com/glossary/web-application-firewall Audio reference link: “VCF East 9.1 - Ches' Computer Security Adventures - Bill Cheswick.” YouTube, 29 Dec. 2015, https://youtu.be/trR1cuBtcPs. 

firewalls noun ches osi web applications web application firewall vcf east
CISO Tradecraft
#98 - Outrunning the Bear

CISO Tradecraft

Play Episode Listen Later Oct 3, 2022 33:12


Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it's particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors?  Let's look at a couple: Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level of connection.  However, it's not automatically a strong connection since we all receive emails from spammers.  If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email.  Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed. The Accuracy of the Data is the second factor.  Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers).  Others use temporary emails to attend conferences, so they don't get marketing spam when they get home.  However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms.  If they don't, then they risk not being able to take the money out of a bank -- which would be a big problem. A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence.  Foreign Intelligence which drives policy-making decisions is very impactful.  Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars.  If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful.  By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions.  This can result in enabling new intelligence collection objectives.  Examples of this include:A country may sanction a foreign air carrier that changes ownership or goes out of business.  In that case, sanctions may be added against different airlines.  This occurred when the US sanctioned Mahan Air, an Iran's airline.  Currently the US enforces sanctions on more than half of Iran's civilian airlines. A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies.  However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective.  Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems On February 28th, the Russian Central Bank was sanctioned On March 24th, the Russian Bank Sberbank CEO was sanctioned On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow's ability to collect taxes. On April 6th, the US sanctioned additional Russian banks. These sanctions didn't just start with the onset of hostilities on 24 February 2022.  They date back to Russia's invasion of Crimea.  It's just that the US has turned up the volume this time. If sanctions are placed against a country's nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important.  Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness. A third goal or activity taken by State Actors is covert action.  Covert Action is generally intended to cause harm to another state without attribution.  However, anonymity is often hard to maintain.If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action.  The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack.  Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns.  This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million.  FedEx around $400 million.  The total global damage to companies is estimated at around $10 billion. The use of cyberattacks hasn't been limited to just Russia.  Another example is Stuxnet.  This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel. Changing topics a little bit, we can think of the story of two people encountering a bear. Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.  “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can't outrun a bear!”  “I don't have to outrun the bear,” said the second friend.  “I only have to outrun you.” So how can we physically outrun the Cyber Bear? We need to anticipate where the Bear is likely to be encountered.  Just as national park signs warn tourists of animals, there's intelligence information that can inform the general public.  If you are looking for physical safety intelligence you might consider:The US Department of State Bureau of Consular Affairs.  The State Department hosts a travel advisory list.  This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses. Another example is the CIA World Factbook.  The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities. Additionally you might also consider data sources from the World Health Organization and The World Bank If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan.  Good communications plans generally require at least four forms of communication.  The acronym PACE or Primary, Alternate, Contingency, and Emergency is often usedPrimary Communication: We will first try to email folks in the office. Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones. Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones. Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin. Additionally, we might purchase satellite phones for a country manager.  Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya.  One popular plan is Inmarsat's BGAN.  BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute.  This usually translates to a yearly cost of $1,500-2K per device.  Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil?  Let your company decide.  Note a great time to bring this up may be during use-or-lose money discussions at the end of the year. We should also consider preparing egress locations.  For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount.  This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel.  If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border.  Have you identified an egress office for each overseas country?  If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures.  When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees.  Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries. If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs.  Good examples of this include following threat intelligence information from: Your local ISAC organization.  ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats.  The National Council of ISACs lists twenty-five different members across a wide range of industries.  An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups. InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure.  Note you generally need to be a US citizen without a criminal history to join AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators.  Note AlienVault currently hosts over 100,000 global participants, so it's a great place to connect with fellow professionals. The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks.  Helpful pages on their websites include the following:Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families. There's even a Shields Technical Guidance page with more detailed recommendations. CISA routinely puts out Alerts which identify threat actor tactics and techniques.  For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure.  This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework.  Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to attack.mitre.org slant groups. CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity. Another page to note on CISA's website is US Cert.  Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert.  One helpful page to consider is the Cyber Resilience Review Assessment.  Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls. Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers?  If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services.  Let's look at this in more detail to properly fasten our running shoes. If we are going to remediate vulnerabilities let's focus on the highest priority.  I would argue those are high/critical vulnerabilities with known exploits being used in the wild.  You can go to CISA's Known Exploited Vulnerabilities Catalog page for a detailed list.  Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching. Next is Multi Factor Authentication (MFA).  Routinely we see organizations require MFA access to websites and use Single Sign On.  This is great -- please don't stop doing this.  However, we would also recommend MFA enhancements in two ways.  One, are you using MFA on RDP/SSH logins by administrators?  If not, then please enable immediately.  You never know when one developer will get phished, and the attacker can pull his SSH keys.  Having MFA means even when those keys are lost, bad actor propagation can be minimized.  Another enhancement is to increase the security within your MFA functionality.  For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address.  You can also look at GPS conditional policies to block all access from countries in which you don't have a presence. Running antivirus is another important safeguard.  Here's the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents?  Do you have coverage on both your Windows and Linux Server environments?  Of the agents running, what portion have signatures updates that are not current?  How about more than 30 days old.  We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn't as effective as you think when it's turned off or outdated. Enabling Strong Spam Filters is another forgotten exercise.  Yes, companies buy solutions like Proofpoint to secure email, but there's more that can be done.  One example is implementing DMARC to properly authenticate and block spoofed emails.  It's the standard now and prevents brand impersonation.  Also please consider restricting email domains.  You can do this at the very top.  Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains:  .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs).  However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary.  Let's say your business is located entirely in the UK.  Do you really want to allow emails from Country codes such as .RU, .CN, and others?  Do you do business with .hair, or .lifestyle, or .xxx?  If you don't have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks.  It won't stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help.  Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion. Disabling Ports and Protocols is key since you don't want bad actors having easy targets.  One thing to consider is using Amazon Inspector.  Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances.  This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc. Strengthening Cloud Security- We won't go into this topic too much as you could spend a whole talk on strengthening cloud security.  Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard.  One tip we don't see often is using geo-fencing and IP allow-lists.  For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito.  This makes it easier to protect user pools and hosted UIs from common web exploits. Once we notice there's likely been a bear attack on our peers or our infrastructure, we should report it.  This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX. Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar.  However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange. Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence.  Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy.  Unfortunately for Acme, Orange has just invaded their neighboring country Blue.  Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange.  Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work.  Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war.  This means that the parent company won't provide services to the Orange company.  Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk.  There's just one problem.  Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success. So where do we start?  Let's consider a few things.  First, what is the lifeblood of a company?  Every company really needs laptops and Collaboration Software like Office 365 or GSuite.  So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services. Active Directory: Once you obtain the server, you realize a few things.  Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment.  Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed.  Also, you ensure a new Active Directory server is created for your Orange environment.  This should leverage best practices such as MFA since Orange Companies will likely come under attack. Let's talk about other things that companies need to survive: Customer relations management (CRM) services like Salesforce Accounting and Bookkeeping applications such as QuickBooks Payment Software such as PayPal or Stripe File Storage such as Google Drive or Drop Box Video Conferencing like Zoom Customer Service Software like Zendesk Contract Management software like DocuSign HR Software like Bamboo or My Workday Antivirus & EDR software Standing up a new company's IT infrastructure in a month is never a trivial task.  However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted. Let's look at some discussion topics. What IT services will be the hardest to transfer? Can new IT equipment for Acme Orange be procured in a month during a time of conflict? Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts? Could your company actually close a procurement request in a one-month timeline? If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil. All laptops shall have Antivirus and EDR enabled from Microsoft. Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange. SSO and MFA will be required on all logins Backups will be routinely required. Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight.  We have a link in our show notes if you want more details. Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP).  One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association.  (I'll put the link in our show notes.)  The IRP recommends creating incident templates that can be used for common attacks such as: Denial of Service (DoS) Malware Web Application Attack (SQL Injection, XSS, Directory Traversal, …) Cyber-Physical Attack Phishing Man in the middle attack Zero Day Exploit This Incident Response Template can identify helpful information such as Detection: Record how the attack was identified Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event Triage: List the activities that need to be performed during Incident Response.  Typically, teams follow the PICERL model.  (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned) Classification: Depending on the severity level of the event, identify additional actions that need to occur Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents.  Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders. As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap.  If you didn't think about it before, you now have plenty of material to work with.  Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice.  We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown.  I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it.  Here's another one for you to add to your arsenal.  Take the time and be prepared -- you'll be a hero "when the bubble goes up."  (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.) Okay, that's it for today's episode on Outrunning the Bear.  Let's recap: Know yourself Know what foreign adversaries want Know what information, processes, or people you need to protect Know the goals of state actors:steal targeting data collect foreign intelligence covert action Know how to establish a good communications plan (PACE)Primary Alternate Contingency Emergency Know how to get out of Dodge Know where to find private and government threat intelligence Know your quick wins for protectionremediate vulnerabilities implement MFA everywhere run current antivirus enable strong spam filters restrict top level domains disable vulnerable or unused ports and protocols strengthen cloud security Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement. Thanks again for listening to CISO Tradecraft.  Please remember to like us on your favorite podcast provider and tell your peers about us.  Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings.  This is your host G. Mark Hardy, and until next time, stay safe. References https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need https://en.wikipedia.org/wiki/There_are_known_knowns  https://www.cia.gov/about/mission-vision/  https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame/  https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/  https://www.nationalisacs.org/member-isacs-3  https://attack.mitre.org/groups/  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf 

CISO Tradecraft
#92 - Updating the Executive Leadership Team on Cyber

CISO Tradecraft

Play Episode Listen Later Aug 22, 2022 26:15


Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team.  What should you talk about?  How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer? Story about Kim Jones at Vantiv – things have changed Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites.  The opposite of Satisfaction is No Satisfaction.  The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction Achievement Recognition The work itself Responsibility Advancement Growth Factors for Dissatisfaction Company policies Supervision Relationship with supervisor and peers Work conditions Salary Status Security So, what will make a board member satisfied?  Today, cyber security IS a board-level concern.  In the past, IT really was only an issue if something didn't work right – a hygiene problem.  If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied.  Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds .  According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams.  And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background.  That extends to your choice of language and terminology as well.  Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy.  Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully).  Show how your cybersecurity initiatives and efforts reduce multiple forms of risk:  financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk.  You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats  .  Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning.  Show your board how to avoid running afoul of these emerging requirements.  And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality.  That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along. Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?"  Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC. The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors.  They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats". The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do.  So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy.  In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover. Our second question is, how often should we be updating the Executive leadership team?  Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis.  We recommend quarterly or semi-annual updates to give more touch points on important topics.  You can draw parallels to quarterly financial statements. Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year.  What should we brief the executive leadership team? Let's look at what's required by law. The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations.  Section 500.04 provides additional information about CISOs.  It states: Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO"). The regulations also state: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. These types of requirements aren't confined to Wall Street.  The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct.  It states that: The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis. So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks.  Many more regulatory bodies do; these are just offered as examples. If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation.  You likely have a regulatory requirement to brief your board or leadership on a periodic basis.  That's fine.  But have you ever asked yourself, what do I want in return? Hmm. What you want is for your board to set the security culture from the top.  Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization.  ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization. One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices.  Their ISMS Policy statement begins with: The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations. If you can get a formal declaration of support from the top, your job is going to be a whole lot better.  Otherwise, you might just end up being the Chief Scapegoat Officer. Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly.  Those four focuses are: Cyber Risks and Responses Cyber Metrics A Cyber Roadmap that Identifies High Profile Programs and Projects Cyber Maturity Assessment Let's dig in.  With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks.  Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues. As a practical matter when briefing cyber risks, never just share a risk and walk away.  Executives hate that.  Be sure to talk about what you are doing as a CISO to mitigate this risk.  Usually in Risk Meetings executives look for a few things about any risk. What is it? What is the likelihood of it to occur? What is the impact if it does occur? What are we doing about it? How much does it cost to fix? However, this isn't a risk approval meeting where we need to go into that level of detail.  So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk. For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team.  When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm.  You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter. In summary you are acknowledging that your company has Cyber Risks which can harm the organization.  You are protecting the organization the best you can given the resources available to your team.  If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount.  This creates a business decision to give you additional headcount, which is a great discussion to have. Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program.  You could call these the metrics that matter.  Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks.  Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil).  Please note we have a link to it in our show notes.  Please, please, please read about the OWASP Threat and Safeguard Matrix.  It's a short five-minute read, and you will be glad that you did. What does the Threat and Safeguard Matrix teach us about cyber metrics?  It says all good metrics show a status, a trend, and a goal. Status shows where we are right now Trends show if the project, program, or company is getting better or worse Goals show the end state so we know when we are done and if we should be happy with our current progress The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas:  technology, people, process, and environment. Technology-based metrics show things like how fast we are patching devices and how well are our servers and laptops configured.  Think about it, if you have servers that are internet-facing which are not patched then it's just a matter of time until bad actors will cause your company (and you) a really bad day.  This isn't something that you can wait on.  So, your organization needs to continually track progress and burn these numbers down as quickly as possible.  So, let's do something about it.  Start by looking at your company's security policy that defines the patch timelines for high and critical vulnerabilities.  It might say something such as we require critical vulnerabilities to be patched in 15 days and high vulnerabilities to be patched in 30 days.  From that security policy you create a Service Level Agreement for the IT department to meet.  So, you measure the percentage of your servers that have zero high and critical vulnerabilities greater than that 15 or 30-day window.  Yeah, it's going to look terrible in the beginning when your IT department shows that only 30% of its servers are patched according to the enterprise service level agreements.  But transparency brings reform.  When the CIO sees that these metrics are routinely being briefed to the CEO and executive leadership team, then things will change.  The CIO will say "not on my watch" and usually lead the IT team to make the changes needed to improve patching. Another metric category we see from the OWASP TaSM is People.  When we think about cyber threats to people we usually think about phishing.  So, during your monthly phishing exercises record your click rates and your reporting rates.  Since each phishing exercise is different you should benchmark your organization against other organizations who took the same phishing exercise.  You can say we had 5% click-through compared to our industry vertical that scored 7%.  If you are doing better than your peers, then you can show you are following best practices and meeting the legal term of due care.  These metrics might lower your cyber insurance costs.  These metrics could also be extremely helpful if your company were sued as a result of a data breach that begin with successful phishing attacks.  So, measure them each month and make good progress. The third metric category is Process-based metrics.  Here you can monitor things like your third-party risks by looking at your processes that track how many of your third parties pass a review, have active ISO 27001 or SOC 2 Type 2 reports, and have recently passed penetration tests.  Another process you might look at is what percentage of your critical applications performed adequately during both a Disaster Recovery exercise and a Business Continuity Plan exercise.  These metrics are helpful during Sarbanes-Oxley (SOX) attestations and other regulatory reviews. The fourth and last metric category defined by the OWASP TaSM is Environment-based metrics.  This refers to things outside of your organization that you don't control.  Even though you don't control them they can have a substantial impact on your organization.  You can think of countries passing new cyber or data privacy laws, regulators asking for new information and compliance activities, and malicious actors and fraudsters taking interest in your company all as examples of environment-based factors.  Please don't confuse environmental factors with saving the Earth.  This is not the context you are looking for.  Environment metrics could be used to show how many legitimate phishing attacks your organization stopped when someone reported a phishing attack, and the Incident Response Team confirmed it wasn't a false positive.  Note these are actual phishing attacks not phishing exercises.  This is an important metric because it shows that despite email protection tools in place, things got passed it.  If you notice a 500% increase in confirmed phishing attacks you might need to buy additional tooling to interdict them.  Another metric you might look at is how many reported help-desk tickets your organization responded to that were caused by a cyber incident.  These types of metrics can help inform management just how big the malicious attacker threat is and can be used by you to justify additional resources. Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update.  Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix. The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects.  Executives want to see the big picture on how you are evolving the program.  So, show them a roadmap that says over the next three years here is the big picture. For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process.  We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies. In 2023, we will shift our focus towards improving our website security.  We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do.  We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor.  We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing. In 2024, we will then shift our focus to improving our software development process.  We will be purchasing a tool to gamify secure software development amongst developers.  This should lower the cost of vulnerability management.  We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly. When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned. The last major category is a Cyber Maturity Assessment.  Essentially you want something that independently measures the effectiveness of the entire Cyber Program.  For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program.  Consider hiring an independent auditing company to measure your organization's security maturity.  You will get something that says here's the top fifteen domains of cyber security.  Today, on a scale of one to five, your organization measures between a two and four on most of the domains.  Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains.  You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three.  This can be something you show in a spider graph or radar chart.  You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed.  This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively. So, let's summarize. We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent.  Remember, satisfaction and dissatisfaction are not opposites.  The opposite of dissatisfaction is no dissatisfaction. That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it.  Focus on risk reduction, and how your program is helping your organization work toward that goal. We talked about why we need to brief management and how often.  Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it.  In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed. Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives. We covered the four things you should include in your executive briefings:  cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment. By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy. Lastly, don't forget to look up the OWASP TaSM model.  It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.)  The link to that is in our show notes. Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft.  Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn.  We would love to help others with their cyber tradecraft. Thanks again and until next time, stay safe.   References https://www.mindtools.com/pages/article/herzberg-motivators-hygiene-factors.htm  https://threataware.com/a-cisos-guide-to-cybersecurity-briefings-to-the-board/  https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf https://www.spencerstuart.com/research-and-insight/cybersecurity-and-the-board  https://www.sec.gov/investment/im-guidance-2015-02.pdf  https://piregcompliance.com/ciso-as-a-service/what-regulations-require-the-designation-of-a-chief-information-security-officer-ciso/  https://proteuscyber.com/privacy-database/ny-dfs-section-50004-chief-information-security-officer  https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-Cyber-Risk-Management-Code-of-Conduct.pdf  https://www.gs1india.org/media/isms-policy-statement.pdf  https://owasp.org/www-project-threat-and-safeguard-matrix/ 

AWS Morning Brief

Links: Has its own vulnerability that's actively under exploit: https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats-under-exploit/ Google Project Zero deep dive into the NSO group's iMessage exploit: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html Three flaws: https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html How to customize behavior of AWS Managed Rules for WAF: https://aws.amazon.com/blogs/security/how-to-customize-behavior-of-aws-managed-rules-for-aws-waf/ Using AWS security services to protect against, detect, and respond to the Log4j vulnerability: https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/ Update for Apache Log4j2 Issue: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ An innocent question: https://Twitter.com/QuinnyPig/status/1473382549535662082?s=20 TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That's goteleport.com.Corey: The burning yule log that is the log4j exploit and its downstream issues continues to burn fiercely. Meanwhile the year winds down, and it's certainly been an eventful one. I'll talk to you next week because that is what I do.Now, let's see from the community what happened. The patch to fix the log4j vulnerability apparently has its own vulnerability that's actively under exploit. Find your nearest InfoSec friend and buy them a beer or forty because this is going to suck for a long time and basically ruin everyone's holiday.Also, I've seen the most hair-raising thing I can remember in InfoSec-land, which is the Google Project Zero deep dive into the NSO group's iMessage exploit. Seriously, this thing requires no clicks on the part of the victim, the exploit uses a bug in the GIF processing inherent to iMessage to build a virtual CPU and assembly instruction set. There is no realistic defense against this short of hurling your phone into the sea, which I heartily recommend at this point as a best practice.Oh, and everything is on fire and somehow worse. There are now at least three flaws in the log4j library that we're counting, so far. Everything is terrible and we clearly should never log anything again.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: If you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they've opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial' button on the homepage and use the promo code, ‘CLOUD' when checking out. That's C-L-O-U-D. Like loud—what I am—with a C in front of it. They've got a free trial, too, so you'll get seven days to try it out to make sure it really is a good fit. You've got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Now, AWS had a few things to say. The most relevant of them are How to customize behavior of AWS Managed Rules for WAF. So, if you're a WAF vendor and you don't link to this blog post as part of your, “Why should I pay you?” sales material, you're missing a golden opportunity. Every time I dig into AWS's Web Application Firewall offering, I end up regretting it, and with a headache.There was also a post on Using AWS security services to protect against, detect, and respond to the Log4j vulnerability. I'm disappointed to see AWS starting to use the log4nonsense stuff to pitch a dizzying array of expensive security services that require customers to do an awful lot of independent work to get stuff configured properly. This kind of isn't the time for that.And they have an update page that they continue to update called Update for Apache Log4j2 Issue, and this post has more frequent updates than AWS's “What's new” RSS feed. It really drives home the sheer scope of the issue, how pervasive it is, and just how much empathy we should have for the AWS security team. Their job has pretty clearly been not fun for the last couple of weeks.And lastly, the tip of the week is more of a request for help, honestly. I asked what I thought was an innocent question on Twitter: “What are people using to read and consume CloudTrail logs?” The answers made it clear that the answer was basically, “A bunch of very expensive enterprise grade things,” or, “Nothing.” This feels like a missed opportunity for some enterprising company out there. If you've got a better answer here, please whack reply and let me know. You know where to find me. Thanks for listening. That's what happened last week in AWS security. Enjoy the time off if you're lucky enough to get any, and I'll talk to you next week.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Papo Cloud Podcast
Segurança na borda: Web Application Firewall em Nuvem

Papo Cloud Podcast

Play Episode Listen Later Oct 19, 2021 6:56


Bate papo com Diogo Dantas e Gustavo Ribeiro, Arquitetos de Soluções em Nuvem, falamos sobre a importância de se ter uma estratégia de segurança para aplicações em nuvem e como por em ação de forma prática e rápida em ambientes de todos os tamanhos. Quer entender como essas e outras tecnologias em cloud podem revolucionar o seu negócio? Entre em contato pelo site veezor.com Esse conteúdo conta com o apoio da AWS a Amazon Web Services. Tem alguma pergunta? Manda aqui pra gente pelo Instagram @papocloud Transcrição completa do programa papo.cloud/veezorpodcast02 -------------------------------------------- Instagram / Twitter: @papocloud E-mail: contato@papo.cloud -------------------------------------------- Ficha técnica Direção e Produção: Vinicius Perrott Edição: Senhor A - editorsenhor-a.com.br Support the show: https://www.picpay.com/convite?@L7R7XH

DevSecOps Podcast
#15 - WAF - Web Application Firewall, tudo o que você precisa saber!

DevSecOps Podcast

Play Episode Listen Later Apr 15, 2021 54:54


Tudo o que você precisa saber sobre Web Application Firewall o famoso WAF neste episódio descontraido e informativo.

Azure Centric Podcast
Azure Weekly News #18

Azure Centric Podcast

Play Episode Listen Later Feb 22, 2021 75:15


On this Azure Centric Podcast, we are talking about the newest Azure features announced during this week. Marcos Nogueira and Andrew Lowes bring their point of view on these new Azure features: • Standard Load Balancer and IP addresses metadata now available through Azure Instance Metadata Service (IMDS) • Azure role-based access control (RBAC) for Azure Key Vault data plane authorization is now generally available • Azure Firewall Premium now in public preview • Automatic Azure VM extension upgrade capabilities now in public preview • US Gov Virginia Availability Zones now generally available • Log Replay Service for Azure SQL Managed Instance in public preview • Additional IOPS feature for MySQL - Flexible Server in preview  • New disk bursting metrics • Cross Region Restore of Azure VMs now generally available • Azure NetApp Files | Volume hard quota change • Azure Dav4-series VMs are available in Azure HDInsight • Azure Purview available in public preview in South Central US and Canada Central • General Availability: Azure Red Hat OpenShift support for OpenShift 4.6 • Azure Front Door Standard and Premium now in public preview • Web Application Firewall Integration with Azure Front Door Standard and Premium SKU • General availability: Web Application Firewall for Azure Front Door managed ruleset refresh • Email one-time passcode authentication on by default starting October 2021 You will find videos about Microsoft Azure Technologies, Microsoft Certifications and Technology in general on this channel. The Podcast series is a very informal conversation with different guests. The Azure Concept series is where we bring the real-life experience of using Azure Technologies on the field. Don't forget to subscribe and make sure to hit the like button and share this video if you enjoyed it.   Facebook page - https://www.facebook.com/azurecentric Twitter - https://twitter.com/azurecentric Instagram - https://www.instagram.com/azurecentric LinkedIn - https://www.linkedin.com/company/azurecentric SoundCloud - https://bit.ly/acsoundcloudpodcast Google - https://bit.ly/acgooglepodcast Apple - https://bit.ly/acapplepodcast Spotify - https://bit.ly/acspotifypodcast YouTube - https://bit.ly/azurecentricyoutube #AzurePodcast #AzureCentric #AzureNews

Rób WordPressa
069 - O WAF – Web Application Firewall z Arturem Pajkertem

Rób WordPressa

Play Episode Listen Later Feb 15, 2021 80:47


W tym odcinku Artur Pajkert wprowadza nas w zagadnienia związane z Web Application Firewall. W ponad godzinnym odcinku, Artur opowiada o rozwiązaniu, które każdego dnia chroni strony hostowane na cyberfolks.pl. --- Send in a voice message: https://anchor.fm/maciejkuchnik/message

artur firewalls arturem web application firewall
Master of None
CDN and it's evolution to Edge Computing

Master of None

Play Episode Listen Later Dec 30, 2020 32:42


CDN Content Delivery Networks have been there for decades. In this episode, we try to understand what CDN is and the general use case where CDN may be a good fit. We also look at the main components that are available in a typical CDN. We also explore the various caching mechanisms of Push vs Pull, cache invalidation strategies . Also a brief look at diferent types of CDN like Public CDN vs Private CDN and Image CDN and Media CDN. We also discuss how CDN can help from security aspect, be it DDOS attack or acting as Web Application Firewall for OWASP based attacks. Finally delving into newer trends of CDN being used at a Compute level with Edge Computing with 3 main uses being 1. JAM stack for building modern server side rendered web applications 2. IOT devices that may perform small pre and post processing and deployment of AI/ML models at Edge for inference and finally 3. Edge Computing for 5G networks to serve content with milli second latency. I hope you find the topics discussed in the episode pretty useful.

Python Podcast
Security

Python Podcast

Play Episode Listen Later Nov 27, 2020 120:51


Mit Philipp und Christian haben wir uns heute über Security unterhalten und am Schluss noch einen kleinen Ausflug Richtung Youtube-DL unternommen. Wahrscheinlich werden wir auch zu diesem Thema noch ein paar Mal zusammen setzen müssen :).   Shownotes Unsere E-Mail für Fragen, Anregungen & Kommentare: hallo@python-podcast.de Security Vorlesung Netzwerksicherheit (HHU) Boxine (Toniebox..) Smashing The Stack For Fun And Profit Von-Neumann-Architektur / Harvard-Architektur Address space layout randomization / Executable space protection SQL injection psycopg Denial-of-service attack Ransomware-Befall Uniklinik Düsseldorf Adversarial machine learning Ada Ariane V88 Absturz Zertifizierung nach Common Criteria / Evaluation Assurance Level Pentest Web Application Firewall (WAF) xkcd zu security Common Vulnerabilities and Exposures (CVEs) Episode 18: Ten Years of Flask: Conversation With Creator Armin Ronacher Command injection etc Directory traversal attack graylog / kibana elk stack / sentry Django regex denial of service security advisory Indiauth für datasette / oauth2 / openid connect Defense in depth Password hashing via: scrypt / pbkdf2 Picks / Youtube-DL youtube-dl Origins of the youtube-dl project Musikindustrie schießt mit der Schrotflinte auf Open Source / Philipp Hagemeister, former YouTube-dl maintainer re: takedown Streisand-Effekt dateutil bcrypt Tonies - offene Stellen Öffentliches Tag auf konektom

Azure Friday (HD) - Channel 9
Migrate and modernize your .NET applications on Azure

Azure Friday (HD) - Channel 9

Play Episode Listen Later Nov 13, 2020


Azure App Service hosts over 2M web apps with a fully managed app hosting platform for .NET, Node, Python, and Java web apps. In this episode, Gaurav Seth shows Scott Hanselman what's new in Azure App Service. Gaurav demos the new Premium V3 Plan with newer and faster hardware and lower pricing, ability to save costs with the new Reserved Instance Pricing, how to migrate ASP.NET apps with OS dependencies using Windows Containers, and briefly discusses the upcoming App Service Environment v3.[0:00:00]– Overview[0:00:23]– What's new in App Service[0:04:05]– Premium V3 Plan with Windows Containers GA[0:07:10]– Reserved Instance Pricing and other cost savings[0:08:13]– App migration demo[0:13:31]– Networking capabilities in Windows Containers[0:15:56]– Azure Front Door with Web Application Firewall[0:18:20]– App Service Environment v3 & wrap-upDownload the Migration Assistant for your .NET and PHP AppsZero to Hero with App Service blog post seriesMigrate, Modernize .NET applications on Azure (Ignite 2020)Continuous Deployment for Windows Containers with GitHub ActionsDeploy a website to Azure with Azure App ServiceCreate a free account (Azure)

Azure Friday (Audio) - Channel 9
Migrate and modernize your .NET applications on Azure

Azure Friday (Audio) - Channel 9

Play Episode Listen Later Nov 13, 2020


Azure App Service hosts over 2M web apps with a fully managed app hosting platform for .NET, Node, Python, and Java web apps. In this episode, Gaurav Seth shows Scott Hanselman what's new in Azure App Service. Gaurav demos the new Premium V3 Plan with newer and faster hardware and lower pricing, ability to save costs with the new Reserved Instance Pricing, how to migrate ASP.NET apps with OS dependencies using Windows Containers, and briefly discusses the upcoming App Service Environment v3.[0:00:00]– Overview[0:00:23]– What's new in App Service[0:04:05]– Premium V3 Plan with Windows Containers GA[0:07:10]– Reserved Instance Pricing and other cost savings[0:08:13]– App migration demo[0:13:31]– Networking capabilities in Windows Containers[0:15:56]– Azure Front Door with Web Application Firewall[0:18:20]– App Service Environment v3 & wrap-upDownload the Migration Assistant for your .NET and PHP AppsZero to Hero with App Service blog post seriesMigrate, Modernize .NET applications on Azure (Ignite 2020)Continuous Deployment for Windows Containers with GitHub ActionsDeploy a website to Azure with Azure App ServiceCreate a free account (Azure)

Azure Friday (Audio) - Channel 9
Migrate and modernize your .NET applications on Azure

Azure Friday (Audio) - Channel 9

Play Episode Listen Later Nov 13, 2020 19:47


Azure App Service hosts over 2M web apps with a fully-managed app hosting platform for .NET, Node, Python, and Java web apps. In this episode, Gaurav Seth shows Scott Hanselman what's new in Azure App Service. Gaurav demos the new Premium V3 Plan with newer and faster hardware and lower pricing, ability to save costs with the new Reserved Instance Pricing, how to migrate ASP.NET apps with OS dependencies using Windows Containers, and briefly discusses the upcoming App Service Environment v3.[0:00:00]– Overview[0:00:23]– What's new in App Service[0:04:05]– Premium V3 Plan with Windows Containers GA[0:07:10]– Reserved Instance Pricing and other cost savings[0:08:13]– App migration demo[0:13:31]– Networking capabilities in Windows Containers[0:15:56]– Azure Front Door with Web Application Firewall[0:18:20]– App Service Environment v3 & wrap-upDownload the Migration Assistant for your .NET and PHP AppsZero to Hero with App Service blog post seriesMigrate, Modernize .NET applications on Azure (Ignite 2020)Continuous Deployment for Windows Containers with GitHub ActionsDeploy a website to Azure with Azure App ServiceCreate a free account (Azure)

Channel 9
Migrate and modernize your .NET applications on Azure | Azure Friday

Channel 9

Play Episode Listen Later Nov 13, 2020 19:47


Azure App Service hosts over 2M web apps with a fully-managed app hosting platform for .NET, Node, Python, and Java web apps. In this episode, Gaurav Seth shows Scott Hanselman what's new in Azure App Service. Gaurav demos the new Premium V3 Plan with newer and faster hardware and lower pricing, ability to save costs with the new Reserved Instance Pricing, how to migrate ASP.NET apps with OS dependencies using Windows Containers, and briefly discusses the upcoming App Service Environment v3.[0:00:00]– Overview[0:00:23]– What's new in App Service[0:04:05]– Premium V3 Plan with Windows Containers GA[0:07:10]– Reserved Instance Pricing and other cost savings[0:08:13]– App migration demo[0:13:31]– Networking capabilities in Windows Containers[0:15:56]– Azure Front Door with Web Application Firewall[0:18:20]– App Service Environment v3 & wrap-upDownload the Migration Assistant for your .NET and PHP AppsZero to Hero with App Service blog post seriesMigrate, Modernize .NET applications on Azure (Ignite 2020)Continuous Deployment for Windows Containers with GitHub ActionsDeploy a website to Azure with Azure App ServiceCreate a free account (Azure)

Azure Friday (HD) - Channel 9
Migrate and modernize your .NET applications on Azure

Azure Friday (HD) - Channel 9

Play Episode Listen Later Nov 13, 2020 19:47


Azure App Service hosts over 2M web apps with a fully-managed app hosting platform for .NET, Node, Python, and Java web apps. In this episode, Gaurav Seth shows Scott Hanselman what's new in Azure App Service. Gaurav demos the new Premium V3 Plan with newer and faster hardware and lower pricing, ability to save costs with the new Reserved Instance Pricing, how to migrate ASP.NET apps with OS dependencies using Windows Containers, and briefly discusses the upcoming App Service Environment v3.[0:00:00]– Overview[0:00:23]– What's new in App Service[0:04:05]– Premium V3 Plan with Windows Containers GA[0:07:10]– Reserved Instance Pricing and other cost savings[0:08:13]– App migration demo[0:13:31]– Networking capabilities in Windows Containers[0:15:56]– Azure Front Door with Web Application Firewall[0:18:20]– App Service Environment v3 & wrap-upDownload the Migration Assistant for your .NET and PHP AppsZero to Hero with App Service blog post seriesMigrate, Modernize .NET applications on Azure (Ignite 2020)Continuous Deployment for Windows Containers with GitHub ActionsDeploy a website to Azure with Azure App ServiceCreate a free account (Azure)

Cybersecurity FOREVER
#103: What is a Web Application Firewall (WAF)?

Cybersecurity FOREVER

Play Episode Listen Later Oct 31, 2020 7:37


Today I will discuss: 1. What is a Web Application Firewall (WAF)? 2. How does WAF protect your web application from web-based cyber-attacks? 3. What are the benefits of WAF? Watch

firewalls waf web application firewall
Ctrl+Alt+Azure
030 - Briefly chatting about Azure Front Door

Ctrl+Alt+Azure

Play Episode Listen Later May 20, 2020 35:23


Join us in this episode where we chat about Azure Front Door. After discussing about the Web Application Firewall in a previous episode it was a good opportunity to focus next on Azure Front Door and what it is.

Ctrl+Alt+Azure
029 - What is Azure Web Application Firewall?

Ctrl+Alt+Azure

Play Episode Listen Later May 13, 2020 33:48


In this episode, we take a look at Web Application Firewall, or WAF. We've previously discussed about Azure CDN (Episode 023) and remote access (Episode 009) so now it was a good time to focus on WAF itself. We also reminisce a little bit about the past when installing a firewall meant spending nights configuring routing and networks and access rules. Pricing for WAF is also curiously complex, so our take on that is also included. In the end, we have a small raffle announced, so stay tuned until the end!

Ctrl+Alt+Azure
017 - Planning and designing perimeter security in Azure

Ctrl+Alt+Azure

Play Episode Listen Later Feb 19, 2020 38:56


Tobias and Jussi drill down into some important discussions around perimeter security in Azure. Azure Firewall, Application Gateway, Virtual Networks and Network Security Groups, Web Application Firewall, DDoS Protection, and more - when do you use what, and what do we need to know before we dive into these important design decisions?

Azure Lunch
Sharad Agrawal on Azure Front Door, the global HTTP load-balancer

Azure Lunch

Play Episode Listen Later Sep 13, 2019 24:28


In this fascinating interview, recorded at Microsoft //Build 2019, I talk with Sharad Agrawal, Program Manager at Microsoft about Azure Front Door. This remarkable service fronts some of the largest web properties on the planet, including Xbox, Bing, Teams, and Azure DevOps, serving millions of requests per second. Azure Front Door is now generally available to all customers, offering a truly global Layer-7 Load-balancer with Web Application Firewall, DDOS protection, automatic SSL certificate management and much more. Sit back and enjoy as Sharad takes us deep into this service and the Microsoft global network that powers it. As always, Sharad and I are employees of Microsoft and our opinions are our own. Show links: What is Azure Front Door Service? Microsoft global network Microsoft Fast Track for Azure From Microsoft New Zealand, this is Azure Lunch. A podcast about Microsoft Azure in short digestible chunks, where we discuss cloud computing from a Kiwi perspective with Architects, Engineers and Technical specialists from around the world. Azure Lunch is sponsored by Microsoft Fast Track for Azure - a team of Engineers and Program Managers dedicated to helping you to be successful in Azure. Learn more at Azure.com/FastTrack. Thanks to SilverWHK for the use of his music in our podcast: https://silverwhk.bandcamp.com Daniel Larsen and his guests are employees of Microsoft. The opinions expressed in this podcast are their own and not an official company statement.

SiberinGunlugu
SiberinGunlugu-24-30.08.2019-Imperva-Azure-Imessage-Camscanner

SiberinGunlugu

Play Episode Listen Later Aug 30, 2019 4:09


Bu hafta Imperva’nın Web Application Firewall aracındaki güvenlik açığı, Microsoft Azure’un network noktalarını Türkiye dahil olmak üzere birçok ülke ile genişletmesi, Google ekibinin Imessage’da tespit ettiği güvenlik açığı ve Camscanner’da bulunan güvenlik açığı üzerine konuştuk. Keyifli dinlemeler, #siberingunlugu Tuğba Öztürk & Murat Lostar

Packet Pushers - Heavy Networking
Heavy Networking 449: Web Application Firewall Fundamentals

Packet Pushers - Heavy Networking

Play Episode Listen Later May 15, 2019 71:01


Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

Packet Pushers - Fat Pipe
Heavy Networking 449: Web Application Firewall Fundamentals

Packet Pushers - Fat Pipe

Play Episode Listen Later May 15, 2019 71:01


Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

Packet Pushers - Full Podcast Feed
Heavy Networking 449: Web Application Firewall Fundamentals

Packet Pushers - Full Podcast Feed

Play Episode Listen Later May 15, 2019 71:01


Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

CloudSpotting
Season 2 Episode 3 Diving into WAF and on ways to prevent DDoS

CloudSpotting

Play Episode Listen Later Mar 29, 2019 34:59


Second of the series with Tomasz Ziolkowski. This time the gang dives into Web Application Firewall and discusses the business impact of DDoS.

diving prevent ddos web application firewall
Open Source Security Podcast
Episode 102 - Michael Feiertag from tCell

Open Source Security Podcast

Play Episode Listen Later Jun 25, 2018 30:50


Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn't do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it. 

Decoding Security
We Could All Use a Good WAF

Decoding Security

Play Episode Listen Later May 29, 2018 7:56


No matter how unlikely you think an attack on your website might be, all sites are inherently at risk of compromise. Ram talks with guest host Ric about what a WAF is, and how to use one to protect your website.

SecurityCast
Web Application Firewall x Firewall de Perímetro

SecurityCast

Play Episode Listen Later Oct 3, 2016 52:50


[SecurityCast] WebCast #40 Web Application Firewall x Firewall de Perímetro

metro firewalls web application firewall
Podcast 1984
Podcast 1984 #3: Reglamento de seguridad privada

Podcast 1984

Play Episode Listen Later Jul 7, 2015 71:59


¿Ya tienes tu carné de "hacker"? http://podcast.jcea.es/podcast1984/3 Notas: 00:00: Presentación. 01:41: El debate: Reglamento de la ley de seguridad privada. 01:41: Javier introduce el tema. 05:20: Pedro concreta detalles del borrador actual. 07:47: Jesús no lo tiene claro en absoluto. Debate con Pedro. 11:25: A Javier le preocupa quién es el responsable de emitir esas certificaciones. 12:20: Antonio opina que hay mala fe, una intención de tener a los "hackers" fichados. 14:21: Pedro centra el debate. 17:13: Antonio insiste en su opinión de que esto es para controlar. Jesús opina que ya estamos controlados de sobra a través de listas de correo, congresos, etc. 18:25: Jesús reflexiona sobre las barreras de entradas y el intrusismo. 21:20: Se habla de intereses y objetivos ocultos. 23:35: Jesús hace de abogado del diablo. 24:50: Antonio apunta el detalle importante de que el borrador actual mete en el mismo saco a las empresas de seguridad física y a las de seguridad lógica. 29:00: Resumen final. Queda mucho por ver y discutir. 31:13: Pedro entrevista a Kioardetroya (Jaime Álvarez): 31:30 Jaime está actualmente en paro. Esto sirve de punto de entrada para reflexionar sobre el mercado laboral en seguridad. 34:00: ¿El carné de "hacker" servirá para algo en el mercado laboral? 37:00: Bugtraq-Team y USB Rubber Ducky. 40:40: Hack&Beers el 10 de julio de 2015. 41:30: La responsabilidad de seguridad se impone al usuario en vez de a la empresa. 42:30: Microterrorismo. 45:40: Autonomía digital: Javier nos habla de hardening en sistemas Linux. 46:20: No instalar paquetes innecesarios. 47:20: Mantener al día los paquetes que sí sean necesarios. 48:00: Cómo mantener los paquetes actualizados. 49:30: Acceso remoto, control de puertos abiertos: Port Knocking, VPNs y a través de una máquina de entrada al resto de la red. 51:10 si vas a dejar el SSH abierto a internet, no lo pongas en el puerto 22. 52:10: No permitir el acceso root remoto por SSH. 53:30: Port Knocking. 54:50: Bloqueo de IPs: Fail2ban. 58:40: Securizar la aplicación: 01:00:25: Web Application Firewall. 01:01:00: Mod Security. 01:02:00: Mod Evasive. 01:03:05: Protección webs a través de cabeceras HTTP. Por ejemplo, X-XSS-Protection. 01:03:50: Control de acceso de usuarios legítimos: Snoopy, LDAP. 01:06:30: Base de datos: activar los logs de auditoría de acceso. 01:08:10: Políticas de claves. 01:09:13: Copias de seguridad y logs. 01:11:15: Despedida.

Gordon And Mike's ICT Podcast
The Jester and DoS, Preventing Attacks, Seizure of Domain Names and Other Topics [32:30]

Gordon And Mike's ICT Podcast

Play Episode Listen Later Mar 28, 2011 32:30


In this episode, we discuss a wide range of topics, including:  - The Jesters denial of service attack on the Westboro Baptist Church website. - How one might prevent such attacks - The seizure of domain names by the Department of Homeland Security - The treatment of Bradley Manning - Google and bugs in Flash - A 16-year old girl that may have hacked HBGary  - Skype and encryption data leaks and, finally - How the events in Japan may effect iPad2 availability. Layer 7 Denial of Service attacks: th3j35t3r's assault on Westboro Baptist Church Website Continues https://www.infosecisland.com/blogview/12400-Assault-on-Westboro-Baptist-Church-Website-Continues.html Live Performance Report for Westboro Church Website: four sites held down 24 days from a single 3G cellphone:  http://uptime.netcraft.com/perf/graph?site=www.godhatesfags.com Defense techniques: Protecting a Web server with a Load-Balancer  http://samsclass.info/124/proj11/proj15-haproxy.html Protecting a Web server with mod_security (a Web Application Firewall) http://samsclass.info/124/proj11/p16-mod-security.html Protecting a Web server with iptables (a firewall) http://samsclass.info/124/proj11/p5x-iptables-layer7.html Westboro Spoof for a Good Purpose http://www.godhatesjapan.com/ -------------------------------------------------------------------------------- DHS siezure of domain names: Web seizures trample due process  http://arstechnica.com/tech-policy/news/2011/03/ars-interviews-rep-zoe-lofgren.ars -------------------------------------------------------------------------------- Bradey Manning's Continuing Abuse in Captivity Ellsberg on Obama’s View that Manning’s Treatment is “Appropriate” http://www.ellsberg.net/archive/ellsberg-obama-manning WH forces P.J. Crowley to resign for condemning abuse of Manning http://www.salon.com/news/opinion/glenn_greenwald/2011/03/13/crowley -------------------------------------------------------------------------------- Google and Flash Bugs Google first to patch Flash bug with Chrome update http://www.computerworld.com/s/article/9214689/Google_first_to_patch_Flash_bug_with_Chrome_update -------------------------------------------------------------------------------- "Anonymous" Hacker Speaks Is This The Girl That Hacked HBGary?  16 years old, and in hiding for a felony http://blogs.forbes.com/parmyolson/2011/03/16/is-this-the-girl-that-hacked-hbgary/ -------------------------------------------------------------------------------- Skype Encryption Leaks Data Uncovering spoken phrases in encrypted VoIP conversations http://www.cs.unc.edu/~fabian/papers/oakland08.pdf -------------------------------------------------------------------------------- Shortages of Apple's iPad and iPhone to bleed into June quarter -- caused by Japan's disasters http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=40531&mode=thread&order=0&thold=0

Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
Damiano Bolzoni & Emmanuel Zambon: Sphinx: an anomaly-based Web Intrusion Detection System

Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

Play Episode Listen Later Jan 9, 2006 63:39


We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS). For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis. Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties? software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Damiano Bolzoni & Emmanuel Zambon: Sphinx: an anomaly-based Web Intrusion Detection System

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

Play Episode Listen Later Jan 9, 2006 63:39


We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS). For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis. Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties? software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.