Web Application Firewall Managed Services
New technologies are constantly emerging to combat the latest threats and attacks. Application firewalls (WAFs) are a new breed of appliance designed to protect applications from application level attacks. Traditional firewalls protect the network layer and filter access to ports; they do not inspect or prevent attacks against web servers or web services – thus the need for WAFs.
Application attacks include SQL Injection, Cross Site Scripting, Injection Flaws, Authorization Bypass/Abuse, Logic Flaws, Cross Site Request Forgery and many more. These attacks are meant to abuse or manipulate bad coding practices within applications and as such, require this new breed of security device to detect and block them.
It can take weeks or months to properly fix coding issues at substantial cost. With a WAF, protection can be implemented in a day while the longer-term solution is designed, tested and rolled into production code.
WAFs do not block everything. Typical installs only “block” a very small subset of alerts that they will alert on. WAFs are not a silver bullet, and are not application aware without significant customization and tuning. WAFs can also be fairly rigorous to maintain in dynamic applications with ever changing data‐driven event paths. IDS/IPS systems have a high potential for false positives; with WAFs, the potential is even greater because rule tuning and application‐specific awareness play a prominent role.
SOS Security: Maximizing Application Firewalls
SOS Security has integrated WAF support within the ActiveGuard monitoring platform to maximize to leverage WAF security capabilities and functions. By taking feeds from an WAF, as well as other security devices (IDS, IPS, firewall, databases, OS’, web servers etc.), SOS Security has the ability to cross‐correlate attacks for a better understanding of the threats and risks faced as a result of attacks. Networks and applications run 24/7 ‐‐ they face attacks 24/7. By having a dedicated team of experts monitoring security systems around the clock (or as needed), in addition to superior correlation technology, security features of current platforms are greatly enhanced.
SOS Security helps to address the pitfalls of WAF maintenance and false positive issues with trained personnel available 24/7 to review anomalous traffic. SOC engineers review and correlate anomalous web logs against current attack patterns to determine if the WAF is experiencing false positives to confirm if the alert was against a valid resource or new dynamic content.
We can also help with WAF tuning. Once you decide to deploy a WAF, SOS Security can step in with Industry best practices and scan the sites you want to protect to detect what specific vulnerabilities exist and then write those rules into an Imperva WAF appliance. This is a service that can happen initially, or recurring or on-demand as new sites come up or new or revised applications are launched.
Improve Security and Address Compliance
Application firewalls are an incredibly useful device and have begun to see widespread adoption in the industry both from a best practice stand point as well as regulatory‐ driven perspective (e.g. PCI 6.6). However a major challenge to organizations today in implementing a WAF is understanding the attack. Since WAFs are designed to block complex application issues, it is not easy for non‐security experts to interpret the output. If you do not understand what it is blocking and what it is doing ‐‐ how can you react to the output?
For example, is the organization being probed or tested by a script kiddie or real hacker? Did the attacker probe the network prior to attacking the application? Has the attacker been testing the application for an extended period ‐‐ probing and mining it for SQL Injection or scanning it for dozens of application related vulnerabilities? Is the data vulnerable to attempted or planned attacks ‐‐ thus should Security be alerted and should the suspect’s IP address be blocked at the firewall?
These are questions SOS Security can help answer.
Sophisticated, intelligent WAF log monitoring results in meaningful, actionable data, and simplified audits including proof of compliance. At the end of the day, outsourced WAF log monitoring allows internal resources to focus on core business initiatives, ultimately saving time, money and valuable resources.
Ousourced WAF Monitoring Includes:
- Address compliance requirements for log monitoring and review
- SOX, FFIEC,GLBA, PCI DSS, CobiT, HIPAA, ISO and more
- Evidence & Log Vault
- Advanced correlation engine with entire security platform
- Expert SOC review of alerts
- Block/Do not block recommendations
- 24/7 service and support including:
- Expert SOC analysis of alerts
- false positive investigation
- dynamic content analysis
- Customized escalation procedures
- Subject matter experts to aid in incident review and analysis Support of over 100 devices and applications: Breach, Imperva, BlueCoat, Palo Alto Networks, Cisco, Snort, Apache, McAfee, ISS & MORE