“Your security should not hinder business development”, “this security policy reduces user experience and affects conversion rate” — these are the complaints that the enterprise security department of Party A often hears from the cooperation team. But security practitioners are definitely not joining companies to “impede business development,” so can security solutions become “business enablers” rather than “business obstructers”? The answer is yes.
Security products, such as firewalls, IDS, WAF, etc. that are transparent to customers and are coupled with services, rarely suffer similar ridicule.
However, returning to the Internet business security scenario, common business security prevention and control scenarios are as follows:
Scene 1:
Security: “Logged traffic reported, someone is swiping the library”
Business: “Let me see, this is a login portal for which business is open, no one has maintained it for a long time.”
BOSS: “Is there any way to stop the bleeding quickly?”
Security and business: “This small entrance has not been connected to the risk control system before, so it can only be dealt with after account retrieval.”
BOSS:…
Scene 2:
Security: “This security policy requires you to send me the LOGIN IP address.” Business development and transformation of N sky line.
Security: “there is a part of the IP wrong ah, is not to take the gateway Intranet IP.”
Business development:…
Scenario 3:
Business development: “Security allows us to log user-agents, browse, and now a lot of business response time is spent logging. Is there business value in doing this?”
Security:…
The core problem with each of these scenarios is that business security solutions are often embedded in business logic. Is there a universal solution to Internet business security as firewall? To answer this question we first explore the “generic security risks” of business security.
0x01 Service Security Common security risks
To find common risks to business security, you first define what states are considered business “safe.” When security engineers are asked by customers, “Is this product safe? , he will often consider various security details, whether the business class will be hit database, whether there is information leakage, whether the system class has injection, horizontal permission control and other issues. But these security details are often not the answer to the question “is it safe?”
The “security” that customers want is a balance. No system is absolutely secure, even the most robust system can suffer from security problems, and improving security for the system is not free of cost. So the “security” that customers need is the balance between security cost and security capital loss. A dedicated security engineer for a DMZ blog server is not the “security” that customers need. Saving safety costs but leading to large-scale warehouse collisions is not the “safety” customers want.
Returning to the business security scenario, there is a common feature. Only when it reaches a certain scale and is used in batches, business security vulnerabilities will cause business impact. A Web attack may be written into webshell and lead to the collapse of the machine, but the threat caused by limited hits, spam registration, spam messages and brushing is acceptable to enterprises. And the attackers to achieve large-scale, batch sex of the purpose, all through the machine to achieve automation. It can be concluded that —- large-scale, batch machine risk is a common risk in the field of business security.
0x02 Common solution requirements analysis
The previous section concluded that large-scale, batch machine risk is the biggest pain point facing business security, so what are the requirements for implementing a common “machine risk solution”? The industry’s defenses against machine risk are well established — against human knowledge (captcha), against inherent human characteristics (behavior recognition), against machine cost (POW), and so on. However, the industry still does not integrate these defenses to provide a universal business security solution for two main reasons — business transparency and rapid deployment.
Business transparency:
In the existing man-machine identification scheme, customers need to modify the front end and back end for access, and even business needs to adjust the business logic with the security scheme. Security intrudes into the business master logic, and sometimes even becomes a business burden.
Rapid deployment:
Machine risk prevention is too complex to be rapidly deployed. As a result, service systems cannot be easily configured to implement site-wide risk prevention and control. Business systems often have numerous small traffic entrances, and these undeployed entrances often become vulnerabilities.
0x03 Generic solution concrete implementation
How to achieve a common machine risk solution that is “business transparent” and “rapid deployment”? The core is to be able to intervene between the browser and the business server in a man-in-the-middle manner to achieve the following requirements:
1. Inject the corresponding Javascript script into the page;
2. The Javascript script collects data and hooks all the events that trigger the submission operation of the user, injecting the data into the request when the user initiates the request;
3. Able to proxy forward requests from browsers and business servers, and parse requests;
Now the man in the middle attack tool (MITMf) has been quite mature, and the idea of reversely applying the man in the middle attack tool seems to be able to meet these requirements. The WAF service is deployed between the business server and the browser. When the user browses the website, THE WAF injects the JS required by the front-end for data collection. At the same time, JS hooks the user’s request event in the front-end, and when the user initiates a request, the collected risk identification data is injected. The reverse agent extracts the corresponding risk identification data and submits it to the risk control brain to make a comprehensive decision whether to block the user request or initiate a second verification challenge.
The interaction flow of WAF data risk control service between the business server and the browser is shown as follows:
The key business risk prevention and control adopts the three-layer funnel model for layer by layer filtering to achieve the goal of transparently blocking business risks. The three funnel models are as follows: blocking machines to eliminate the risk of mass attacks by attackers; abnormal traffic analysis to identify some missing machine behaviors and bad users with abnormal behavior trajectory; credit investigation model to reject bad users based on the user’s reputation score, and finally achieve the purpose of pushing services to target users.
Block machine:
1. Machine recognition based on human inherent characteristics, credible front-end acquisition of user behavior data based on JS, and detection of machine behavior through online real-time model for blocking; 2, consumption of machine attack cost so that the attack is not worth the loss, based on the principle of POW(Proof of work), through the server to issue problems to consume the front-end calculation. For ordinary users with enough spare CPU resources, a small amount of computing costs nothing, while the attackers need to achieve the effect of batch attacks will consume too much computing resources, making the attack more than worthwhile.
Flow analysis:
Machine learning is used to identify abnormal traffic in network traffic, so as to intercept some bad users with abnormal behavior trajectories. Common ideas are as follows:
1. Browsing track. For example, in the Internet finance scene, normal users will compare various financial products after registration and finally place an order, while “wool party” usually gets activity information in the group and goes straight to the activity page to collect wool;
2. URL clustering: In the online shopping scenario, normal users will choose from similar items before buying a certain product;
3. Browsing frequency: On UGC website, users generally browse and comment at a certain interval, and users who frequently reply in seconds are most likely to send spam messages.
Credit Investigation model:
There’s a classic saying that accompanies the birth of the Internet: “On the Internet, no one knows you’re a dog.” However, in business security scenarios, identifying user identity and evaluating user reputation are important basis for business risk control. Draw lessons from the mature credit investigation system in the real society, and the Internet is now a mature ecological closed loop. The user is identified by device fingerprint, and the reputation score is based on the user’s activity record on the Internet, supplemented by the list of faithless users. In this way, high-risk users in the first two layers of the bypass are intercepted.
0x04 VALUE of WAF Data Risk Control service
Returning to the question at the beginning of this article, how can business security prevention and control become a “business enabler” and can WAF data risk control services achieve this goal? The answer is yes.
WAF data risk control services have two major advantages that both secure enterprise business and accelerate business growth.
First, business transparency, business development resources can be focused on business code, reduce the cost of enterprises to achieve security requirements.
Second, rapid deployment, WAF data risk control service can quickly deploy the whole site, quickly realize the guarantee of website business risk. Just as the invention of safety belt ensures the safety of drivers and enables cars to run at a higher speed in a safer manner, the business risk prevention and control of the whole station can also enable enterprises to push their business to target users, thus accelerating the business development of enterprises.
Author: Nanxun @ Ali Cloud security, more security articles, please visit Ali Ju security blog