SOAR Use Case – Data Exfiltration
June 21, 2021SOAR Use Case – Responding to PrintNightmare
July 8, 2021Managing Web Application Firewall (WAF) response with SIRP SOAR
Web applications and websites are essential platforms that every business needs to engage customers, users, and visitors. Consequently, the internet-facing deployment of hosted applications and websites increases the risk of being attacked by adversaries. Web Application Firewalls (WAF) are placed as a front-line of defense to counter application-layer attacks like DDoS, SQL injections, and XSS (cross-site scripting). WAF protects against application-level attacks and exploitation of vulnerabilities to ensure that the web applications are secure.
SIRP offers the integration of hundreds of security tools, which also include different WAF products. Integrating WAF with SIRP helps security teams to automate the management of WAF alerts and rules using automation playbooks. These automation playbooks help not only in automating the incident response of WAF events but also other security controls depending upon the need of incident response use cases. Moreover, statistical information examples are given below and can be ingested to SIRP to customize playbooks.
- Geographical stats of visitors
- Bandwidth Utilization
- Total number threats by type
- Security rules and incident count
- Hit counts (human/bot/blocked session)
SIRP enhances attack prevention and mitigation by analyzing this statistical data provided by a WAF. For instance, an attack pattern or threat detected by the WAF on a site can be automatically blocked on all other sites using the playbook.
Similarly, an attacking IP address can be further investigated using SIRP playbooks on other security controls such as Perimeter Firewall. SIRP playbooks offer flexible customization which helps security teams by automating the investigation process. This is made possible with the holistic view of threats and incidents on the SIRP dashboard.
Challenge
A WAF can contain sizable amounts of statistics and logs, however, it is resource-intensive to analyze and assess the data to manually create and update policies and set protection rules and parameters. Similarly, numerous hours are wasted on manually upgrading multiple sites one by one with new parameters (which also require tiresome analysis) for protection against threats.
Not to mention the added screen fatigue from constantly switching between multiple screens that increases the time taken to respond actively to threats.
Solution
Integration of an advanced Security Orchestration, Automation, and Response (SOAR) platform like SIRP with a WAF delivers a holistic view of the analytics obtained from multiple sources. The analytics, including incidents, attacked site information, country-wise stats, errors, events, site violation, and IP information, are displayed on the SIRP dashboard in a single-pane-of-glass, making analysis and response that much easier.
Automated playbooks don’t simply improve the SOC performance, but they also enable them to enrich the acquired data by maintaining records of the alerts, trends, and patterns.
As the threat landscape accelerates rapidly, so should its monitoring and analysis. SIRP Security Score (S3) and asset management also help prioritize the assets (which also includes the WAF) to protect against any future attacks.
Integration Features
Use Case 1: Real-Time Statistical Dashboard for Multiple Sites in a Single Window
A WAF can provide a real-time statistical dashboard that enables users to get instant access to live information. But that alone is not enough for a manager that sees things from their own perspective. SIRP utilizes the WAF feature to formulate a centralized dashboard that presents the required information and statistics to managers - all in one place. This feature allows data enrichment to security events and supports real-time, data-driven decision-making while displaying a customized dashboard for the users.
An added bonus is that this feature can be utilized to generate reports from the customized dashboards that can be used for future threat analysis. And to display the threat landscape to the senior management.
SIRP utilizes the centralized dashboard feature to display the statistics with a sophisticated widget that enables SOC analysts to employ policies and rules that shape and tune the client’s security posture and makes it even more relevant and current. For instance, in case of a DDoS attack, live traffic statistics enable our security team to quickly identify abnormal activity patterns of the bot and human visitors.
Use Case 2: Rules and Actions Customization
Modify site security configuration
With the help of statistical data ingested in SIRP, the security team can modify site security configurations directly from SIRP. To modify the configuration for a specific rule ID, the following parameters can be modified.
- Set whether or not to block bad bots.
- Set whether or not to send a challenge to clients that are suspected to be bad bots (CAPTCHA for example).
- Set Activation mode.
- Set action that should be taken when a threat is detected.
Modify Whitelist/Blacklist Configuration
Mostly, Whitelists and Blacklist are made to strengthen Access Control. SIRP also offers modification to set blacklists/whitelists to security rules or ACLs on WAF. Following parameters can be set:
- Country
- Continent
- IP Address
- URLs
- Client Application Type
- Client Application ID
- User-Agents
Benefits
- Get a single-pane-of-glass / dashboard view of your protected infrastructure, with real-time information about incoming traffic, threat types, and attacking countries.
- Immediately detect and block application-layer attacks.
- Elevate response time by analyzing managed data quickly available on the SIRP dashboard.
- Ensure protection of applications and websites with log storage and maintenance (that can be utilized for future analysis).
