App protection amid evolving app landscape, automated attacks

The typical modern organization, according to a joint F5-Ponemon global study, uses 765 web applications, of which, 34% are considered mission critical.

Impact-wise, when apps are attacked, 81% of respondents to the F5 Labs 2018 Application Protection Report, rated loss of availability or denial of service as “the most painful”, followed by breach of confidential or sensitive information (77%); tampering with an application (73%); and loss of personally identifiable information of customers, consumers, and employees (64%). Injection attacks against app services, account access hijacking and denial-of-service attacks have been most prevalent.

Cloud-augmented security

An army of attacker-controlled devices or thingbots are increasingly forming the attackers’ infrastructure. “It definitely is right now for distributed denial of service (DDoS),” said David Holmes, F5’s global security evangelist.

Presently, when volumetric DDoS attacks are detected by F5’s on-premises solutions, customers of the cloud-based F5 Silverline DDoS Protection will use a Hybrid Signaling feature to alert its Security Operations Center (SOC) in real-time and reroute traffic for cloud-based scrubbing. “Most DDoS attacks these days are minutes long, not days long,” Holmes added. “It might not be a great value to send somebody an alert [manually] about a giant attack coming and they don’t check their mail for 15 minutes and by the time they check it, it’s over.

“Once an organization gets to a certain size, having a DDoS strategy in place is critical. And depending on the architecture, the most obvious thing is to contract somebody like F5 to be the scrubber because [since] a year ago, we were able to mitigate a 2TB attack. Obviously, even if it is just 1Tb, only service providers can absorb that. A typical enterprise is just not going to be able to.”

The Hybrid Signaling capability can also be leveraged with the F5 BIG-IP Application Security Manager (ASM) web application firewall (WAF) on premises to determine source IP addresses that are bad actors. These can be blocked in the cloud with Silverline DDoS Protection.

WAFs remain the top means for securing applications, along with application scanning and penetration testing. Although they are not designed for bot detection and their policy-based approaches cannot adapt or scale to defend against large-scale bot attacks, it is still a preventive security control that significantly reduces the risk of web vulnerability exploitation. WAFs can be further complemented by other security controls, such as vulnerability scanning, continuous monitoring, and collaboration with the development team.

This is why F5’s standalone solutions, sitting at the intersection of all application traffic in and out of the organization, can deliver rich visibility into context, with which organizations can then apply critical WAF, DDoS prevention, and access management capabilities against advanced threats.

For example, the virtualized F5 Advanced WAF can be deployed directly from public cloud providers such as Azure or Amazon Web Services (AWS). Its Layer 7 behavioral DoS detection and mitigation enable a hands-off automated protection cycle that is continually optimized and refined.

Similarly, its proactive bot defense allows session-level detection and blocking of automated threats. On the client side, there’s protection against credential stuffing – automated attacks that use previously stolen credentials – while F5 Anti-Bot Mobile SDK integration helps to counter sophisticated bot attacks on mobile API endpoints.

TheF5 Advanced WAF can be augmented with the F5 DDoS Hybrid Defender, which has been updated to detect and defend against multi-vector and volumetric DDoS attacks across network, session, and application layers while integrating offsite cloud scrubbing.

With applications being principal gateways to critical data and lack of visibility in the application layer among the top barriers to achieving strong application security, F5 have also delivered advanced access controls (F5 Access Manager) and dedicated Secure Sockets Layer visibility with orchestration capabilities (F5 SSL Orchestrator) to help thwart sophisticated cyber attacks.

App-first approach

When Japan-based Golf Digest Online (GDO), a specialty online retailer for golfers, decided to completely transition its infrastructure into the cloud with a move to Amazon Web Services (AWS), it chose the virtual editions of several F5 products to ensure an incident-free transition.

After deploying BIG-IP ASM on AWS to screen all incoming traffic, GDO has attained the same high level of security on AWS that it had with its on-premises system. The ability to continue using an F5 partner’s BIG-IP ASM-based SOC services also offered a relief for its security resources.

Similarly, financial services company, The Motley Fool, which has been using the F5 BIG-IP Local Traffic Manager (LTM) for load balancing and availability for years, augmented its existing infrastructure with the F5 Silverline Web Application Firewall.