Prevoty-Enterprise_Tech_Overview

Prevoty Enterprise Technical Overview

May 2014

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Prevoty Suite Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Trusted Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Trusted Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Trusted User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Live Dashboard & Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Integration with External Data Stores and SEIMs . . . . . . . . . . . . . . . . . 15

Deployment & Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Prevoty Enterprise Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Table of Contents


2

Executive SummaryThe frequency and impact of hacking attempts against websites and applications continue rise to unprecedented levels, creating a significant impact on enterprises. The most common attacks include cross-site scripting (XSS), SQL injection (SQLi) and cross-site request forgery (CSRF).

When successful, these attacks can lead to many issues for organizations, including brand defacement, data exfiltration, user ID theft and a host of potentially serious problems stemming from hackers and cybercriminals having unfettered access to applications and data services (caches, databases, filesystems, etc.) behind the firewall.

Prevoty has developed a unique product suite that provides an unprecedented level of protection against all of these attacks by operating inside the applications themselves.

This paper provides a detailed technical view of the components that make up the Prevoty Enterprise suite.


3

Prevoty Suite OverviewPrevoty’s technological approach is based on one very simple but powerful realization: applications can only be truly protected if the analysis of potential threats happens with context and in real-time application control flow.

Prevoty Enterprise is a comprehensive application security solution designed to protect organizations against the top application security threats by validating inputs, queries and tokens from a single, easily deployable service.

Trusted QueryProtects popular relational databases (Oracle, MySQL, MSSQL, etc.) from SQL injections (SQLi) using advanced query virtualization technology that can audit parsed fields, tables, functions and subqueries

Trusted ContentEliminates cross-site scripting (XSS) attacks and other malicious and unwanted content, such as spammy phrases and profanity, without any requirement for past definitions or signatures

Trusted UserGenerates and validates cryptographically unique tokens to prevent cross-site request forgery (CSRF) by identifying malformed, expired and replayed tokens, protecting against user identity theft and fraud

4

Pre-built SDK’s enable applications to make control flow calls to the Prevoty engine that is delivered in the cloud (public or private) or on-premise as a virtual appliance. The SDKs are available for all common languages and frameworks, from the strongly typed and closed source languages like C# to the weakly typed and open source languages like Ruby. All of these SDKs can point to either a cloud-based or on-premise engine simply by changing the base endpoint of the API.

The Prevoty engine uses sophisticated lexical and behavioral analysis to understand and prevent malicious content and query execution; content is simulated in a manner similar to how a browser renders content while queries are analyzed relative to the appropriate database engine. In either case, the engine detects and prevents attacks from impacting the application and its users.


5

In addition to actively preventing threats from inside the application, Prevoty’s engine also provides real-time threat intelligence for security teams across the entire application portfolio. Additionally, transactional log entries can be delivered instantly to external data stores and SIEMs such as Splunk, HP ArcSight and IBM QRadar.

Dynamic

Built in-house& externally

Distributed

Database

InternalEmployees

VPN

Firewallincl. WAFs

ExternalEmployees

Cloud, Web Services, Partner Apps, SAML

User Generated

Content

External Data Services

Mobile & Multi-device

Users

Trusted Content

Trusted Content is designed to eliminate XSS attacks as well as other malicious and unwanted content. Trusted Content makes use of a Prevoty core component called Bonsai. Bonsai is effectively a server-side compiler for HTML, CSS and JavaScript that includes a number of proprietary tokenizers and parsers. Bonsai is capable of analyzing any fragment or a full document that can include HTML, plain text or mixed content, and can predict web browser execution.

Based on the analysis of the content, Bonsai can pinpoint and surgically remove bad content while preserving data fidelity. As a side effect, Bonsai can ensure that content is lexically formed and transformed. When Bonsai parses malformed HTML, it performs transformations to make the content safe for browser interpolation and execution.

By being within the control flow of an application, the Prevoty engine provides a rich statistical data structure containing key security metrics that allow a developer to make decisions on what actions to take.

One option is just to run the engine in a passive mode, not doing anything with the sanitized output and simply gleaning the statistics for transactional and future data analysis.

The other option is to take the sanitized output and persist to a database or render it out to a user’s web browser.


6

JSON-based configuration More granular selection of protocols, tags and how content should be coerced in a mixed environment, where they actually want to have HTML or not. Allow the execution of advanced Prevoty pipeline tasks such as spam/profanity detection as well as link analysis.

WYSIWYG configuration editor

Simple checkbox-based selection to specify generally acceptable content. Options include acceptable text formatting, whether images, links, media embeds should be allowed, which the protocols and protocol based attributes etc.

There are two ways to create configurations for content analysis:


7

There are cases where organizations must ensure that no rich content, such as HTML, is ever accepted. Accomplishing that via a JSON-based configuration is simple.

To put things in perspective, let’s consider a web application with a text box:

This text box can be used to launch an XSS attack:


8

Without appropriate input validation, this script will execute as either a reflected or persisted attack (depending on how the input is processed and stored):

With Trusted Content enabled, this script would not execute. By default, the sanitized content – only the text: alert(”you’ve been hacked”); - would be persisted or rendered. Statistical data related to the prevented attack would be delivered in real-time to the Prevoty dashboard. As outlined above, the developer could also choose to take different actions based on context. One such example would be to flag the user as malicious or simply terminate the entire HTTP request.

Although most developers of modern applications would be trained to design the capability to handle such a simple case (such as output encoding), this may not have been the case with existing and perhaps legacy applications. Trusted Content provides an extremely quick path to remediating known attacks and alleviating security defect backlogs.

Furthermore, Trusted Content also automatically analyzes much more sophisticated content and takes appropriate actions, including preserving valid formatting, management of UTF-8 and UTF-16 character sets, preservation of custom markup, removal of invalid protocols, etc.

Importantly, even if the attack is “fuzzed” as a means to circumvent traditional definition-based security, Trusted Content will still analyze and action the content correctly. This capability makes Prevoty Enterprise unique in being able to prevent zero-day XSS attacks.


9


Trusted Query

Trusted Query analyzes database queries and protects popular relational databases (Oracle, MySQL, MSSQL, etc.) from SQL injections using advanced proprietary query virtualization and lexical analysis that can audit parsed fields, tables, functions and subqueries.

Trusted Query analyzes and compares SQL query parse trees, post-lexical analysis, to the relevant configuration that has been created (constraint solving). Reconciliation with the configuration reveals whether or not the query is planning to access a field that it should not, invoke a function call that it should not, attempt to access a database table that it should not and perform an invalid join/subquery.

Trusted Query is founded on a set of proprietary tokenizers and parsers that enable the lexical analysis of a database-specific query. Unlike with Trusted Content, Trusted Query does not perform sanitization. Invoking Trusted Query results in a rich data structure with statistics that gives an application the control over preventing malicious query execution.

Prevoty has developed a tool that auto-generates a configuration for Trusted Query based on a SQL database’s definition (includes tables, fields and type information). Security and development teams can further refine the configuration with specific security directives to allow access to specific tables, fields and functions.

As a simple example, let’s return to our web application but this time we will try a simple SQL injection via the URL:

Portfolio Dashboard Symbol Search NewsACME INVESTING

Search Results

+ Show More

Tesla TSLA +3.5% +2.33

Buy Shares

NoneSuchCo NOCO -5.01% -1.23 Google GOOG +2.09% +4.20

Prevoty PVTY +12.21% +14.21

Buy Shares

Buy Shares Buy Shares

Sign Up, Start Trading Now

acmeinvesting.com/query=GOOG%20’%20union%20select%20*%20from%20users

10

If this executes against a database without protection it could result in data exfiltration:

Portfolio Dashboard Symbol Search NewsACME INVESTING

Search Results

+ Show More

Tesla TSLA +3.5% +2.33

Buy Shares

NoneSuchCo NOCO -5.01% -1.23 Google GOOG +2.09% +4.20

Prevoty PVTY +12.21% +14.21

Buy Shares

Buy Shares Buy Shares

Sign Up, Start Trading Now

acmeinvesting.com/query=GOOG%20’%20union%20select%20*%20from%20users

Name :

Email:

SSN:

Address:

Phone:

Total Account Value:

Most Recent Trade:

John Doe

[email protected]

123 - 45 - 6789

123 Main St.

555.555.5555

$321,204

PVTY

ALERT 1 ALERT 1

With Trusted Query set up with a default configuration, this would return a payload to the application with analytics specifying multiple violations. This example application could prevent the query from executing. The development team can see these analytics in the Prevoty dashboard in real-time

One of the most compelling capabilities of Trusted Query operating in the context of the application is that even the most sophisticated SQL injections can be prevented, including those that originate via other API’s, partner applications, RSS feeds, synthesized queries, etc.

11


5 reasons your application security sucks

Trusted User accomplishes two distinct levels of trust:

Trusted User is able to provide these guarantees by keeping track of individually generated tokens and ensuring that they are only used as specified, using a Prevoty technology called SmartCache.

At a high-level, token generation requires four distinct variables: Trusted User accomplishes two distinct levels of trust:

• An application-specific user identifier; a one-way hash of the user identifier is a great candidate for this variable is it does not leak any personally identifiable information

• An application-specific action; an identifier of what part of the application the token is bounded to (i.e. a specific web form)

• The duration expressed in seconds that a token should live for, commonly referred to as a time to live (TTL)

• The number of times a token can be used/validated

• An application can trust that users are exactly who they claim to be

• A user can trust that an application knows exactly when he/she is performing a state changing action (e.g. login, checkout, etc.)

12


Trusted User

Trusted User generates and validates cryptographically unique tokens to prevent CSRF by identifying malformed, expired and replayed tokens, preventing user identity theft and fraud.


• An application-specific action; an identifier of what part of the application the token is bounded to (i.e. a specific web form)

• The duration expressed in seconds that a token should live for, commonly referred to as a time to live (TTL)

• The number of times a token can be used/validated

As an example, one large organization is using Trusted User with their mobile applications. When a user logs in for the very first time, their mobile application calls home to retrieve a persisted token.

Then for every state changing activity that the user does, Trusted User actually does the “bucket brigading”: sending the timed token back and validating the request. If the timed token is valid, it executes; otherwise it sends a new timed token back that’s bound to the next request that the user is about to take.

So, in this way they’re able to make sure that the user is who they say they are prior to taking the state-changing activity in the application. No forgery, no replayed tokens, no (successful) man-in-the-middle attacks.

13


Depending on how the application sets the number of times a token can be validated there are three different classes of tokens can be created:

• 1-time usage; ideal for web forms and 1-time URLs

• N-usage; i.e. the token can be used “N” number of times, ideal for multi-page forms, bounded sessions, etc.

• Unlimited usage; ideal for persisted sessions such as cookies for applications or signed tokens between mobile applications and web servers

Trusted User has been extensively threat modeled and designed with security as the primary priority:


Live Dashboard & Analytics

Prevoty Enterprise gives Security and Operations teams unprecedented visibility into what is actually happening within their organization’s applications. The Prevoty engine sends real-time updates from all instrumented applications via pre-built SDKs and aggregates that data into an easy-to-understand dashboard.

Generated analytics contain information including:

• Access data insights on API requests

• Volume of data transformed

• Security and validity of queries

• Statement, table, field and function violations based on constraint analysis

• Breakdown of all queries, including joins and sub-queries

• Breakdown of all accessed tables and fields within queries

• Detailed statistics on user ID tampering and attacks

14


Integration with External Data Stores & SIEMs

All data generated by the Prevoty engine can also be automatically logged to external data stores, such as Splunk, can be fed in real-time into a Security Information and Event Management (SIEM) system such as IBM QRadar and HP ArcSight or can simply be exported as a CSV for further reporting and analysis.

The Prevoty engine can also transmit analytics to custom data stores and SIEMs by communication pre-defined JSON payloads via TCP/UDP. Analytics can also be collected via syslog or Unix socket.

Deployment & Integration

Prevoty products can be deployed as a software-as-a-service (SaaS) solution using either the public cloud or an organization’s private cloud. Alternatively, they can be deployed as a virtual appliance in an organization’s data center. The server and client software is identical in all three instances.

The service is exposed as a REST API with communication requiring HTTPS with an API key. As a cloud SaaS, Prevoty will automatically scale the backend, requiring no infrastructure-related work for application developers. As an on-premise SaaS, workloads are distributed on multiple servers for high-availability within a target application’s environment.

Applications communicate directly with the Prevoty engine via a pre-built language / framework software development kit (SDK). Language implementations include but are not limited to:

• PHP

• Java

• .NET

• Ruby

• Go

• Node.js

• C++

15


Supported frameworks include but are not limited to:

• WordPress

• Drupal

• Rails

• Java EE

• ASP .NET

Once the SDK is included in the application, a Prevoty instance needs to be instantiated whenever the application is launched and then developers simply invoke a single Prevoty API call to pre-process content, SQL queries and state-changing HTTP requests.

Performance

Compute processing time for the Prevoty engine is sub-millisecond for all three products, with a typical network round-trip under 50ms for our public cloud service. The Prevoty engine was designed to scale and comfortably processes tens of thousands of requests per second per enterprise.

For organizations with hyper-sensitive latency requirements, the on-premise deployment option means that the engine can be in the same data center as the applications being secured with a high-speed pipe between the servers.

Prevoty Enterprise Benefits

There are many significant benefits to using the Prevoty Enterprise suite. These include:

Dramatically reduces opportunities for security breaches

By eliminating XSS, SQLi and CSRF breaches, risks such as brand defacement, data exfiltration and user ID theft and fraud are significantly reduced.

Eliminates zero-day attacks

Prevoty’s patented contextual, behavioral and lexical analysis engine draws on years of research in understanding how content and queries should

16


and should not be interacting with applications. This allows us to automatically detect malformed or malicious entries and fix or reject them without the need for blacklisting, dramatically reducing the potential for zero-day attacks

Provides security for modern dynamic and distributed applications

No matter where the content, queries or users originate in an untrusted ecosystem (the cloud, web services and API calls, RSS feeds, user generated content, mobile devices, etc.) Prevoty’s engine will always be able to process the inputs and state changes, ensuring protection even for the most complex applications.

Real-time threat prevention

The “Detect, Report, Fix” cycle takes on a whole new meaning since the “Fix” is done in real-time by Prevoty’s engine while the application is running, rather than waiting for months for the developers to patch a vulnerability.

Real-time security & threat analytics

Detailed statistics are yielded to identify attacks, quickly identifying which user sessions have been compromised. Analytics include information around malformed, expired, mismatched tokens and replayed tokens. Data can be exported as a CSV or automatically logged to external data stores, such as Splunk, for further reporting and analysis.

Ease of implementation Prevoty’s engine is delivered as scalable software-as-a-service in the public cloud or a private cloud. Three lines of code are all it takes to include the power of Prevoty in your application.

17


Instant remediation Adding Prevoty to your existing application base dramatically reduces the cost, time and complexity of remediation. Now all your applications can have state-of-the-art protection. Prevoty has proven to reduce security backlog defects.

Summary

The hacker attack plane of choice has moved from the network layer to the application layer. The dramatically increased attack surface available thanks to the new breed of cloud-enabled dynamic applications means that traditional firewall-based security alone can no longer protect organizations from sophisticated attacks.

Additionally, identifying application vulnerabilities using source code analysis or dynamic application security testing tools does not actually fix anything and does not provide protection against the highest threat risks: zero day attacks.

Prevoty’s mission is to protect enterprises and their users by delivering application security that works and the Prevoty Enterprise suite provides a whole new layer of security: real-time, in-application, active defense.

18


Prevoty-Enterprise_Tech_Overview

Documents

Transcript of Prevoty-Enterprise_Tech_Overview