Swordfish

Transcription

1 Swordfish Web Application Firewall

2 Web Application Security as a Service Swordfish Web Application Security provides an innovative model to help businesses protect their brand and online information, incorporating a state-of-the-art transparent security layer over their web applications. Web Applications are a direct target for attacks, as they are directly accessible from all parts of the world and form a surface to valuable information and, many times, Personally Identifiable information (PII) such as credit cards, identity numbers, health information, etc. Each year, web-borne attacks are increased by 30%, while successful breaches reach up to a 60% increase, proving that not only new attack vectors are created on a daily basis, but also their effectiveness and complexity is significantly raised. Critical vulnerabilities like HeartBleed and ShellShock are disclosed leaving Web developers unable to implement means of protection or, worst, pro-actively plan these low-level vulnerabilities. Businesses, on the other hand, have a critical demand of information and services to be available in the minimum amount of time to, amongst others, increase profitability or make new business channels available worldwide. Adding to the complexity, regulation standards such as PCI or HIPAA, enforce the design and implementation of security controls to safeguard information. Swordfish Web Application Security was designed, in order to accommodate both business needs and security requirements. By implementing a transparent security layer in front of web applications, security and compliance requirements are no longer a dependency, as all Web requests handled by the Swordfish WAF, cleaned from malicious calls and legitimate traffic is directed to the Web Application for the business logic to be performed. Swordfish Web Application Security is equipped with state-of-the-art rules, optimized to zero-out false positives and false negatives, as well as a set of features that establish a complete security solution for doing business today in the Web.

3 Why SWORDFISH? The Swordfish Web Application Firewall Technology is engineered to be fully customizable in terms of user and group access privileges, aligned with both Corporate and Information Security policy. In effect, our solution addresses the security need for ongoing operational security not just the technology: Continuous Research Based Rule-Set The carefully designed policies contain a comprehensive set of rules that implement general-purpose hardening, common web application security issues protecting against the latest threats, while taking advantage of the continuous research on new threats appearing on a daily basis on OSI Security Labs. OSI Security Labs investigate the vulnerabilities identified, compiles them with the latest threats reported by Bugtraq, CVE, Snort, and performs primary research to deliver the most up-to-date and comprehensive Web Application Firewall service available. Anomaly Detection The rule-set keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Attack from sources having reconnaissance history, incomplete HTTP protocol transactions and malicious content within HTTP transport protocol, amongst multiple other factors, raise the abnormality score. Requests with high anomaly scores are rejected altogether. Positive Security Model Swordfish WAF analyzes the full HTTP transaction in order to understand the application structure, elements, and expected user behavior. The positive security model is implemented through the profiling of protected applications, including an enumeration of application URLs, parameters, cookies, and methods. By the end of the Learning phase, the WAF engine will have created a baseline of rules including all "whitelist" rules, ready to protect the Client's valuable web applications HTTPS/SSL Inspection The Engine analyzes the full HTTP transaction - even over HTTPS/SSL- allowing complete requests and responses to be inspected for malicious input. With the high technology inspection, fine-grained decisions can take place, ensuring that only malicious containing transactions are logged and intercepted. Evolution in parallel with Web Applications responses, the WAF learning engine understands the application structure and elements that have changed since the last rule-set upgrade. Swordfish WAF evolves with the web application in parallel recognizing application changes, while simultaneously protecting against deviations in known users behavior. Reputational Intelligence (Swordfish ReputationMonitor ) Obrela Security Industries Reputational Intelligence enhances Swordfish WAF, by adding reputational context to all the actors associated with the communications between the customer infrastructure and the Internet. This is performed by integrating and de-duplicating multiple proprietary and open reputational feeds. OSI Domestic Intelligence Network uses SIEM and Honeypot intelligence to extract and local attack formations & attackers targeting multi-region telecommunication providers, amongst other industries. Sources based on OSI proprietary intelligence (SIEM based reputation, Malware Analysis, Regional Honeynets), Commercial Feeds (eg DVLabs) and Open Source feeds allow OSI to have total visibility of communication with TOR/Anonymity, C&C Servers, Compromised Hosts, Malware Repositories, Phishing Sites, etc. Web Resource Surveillance (Swordfish SocialMonitor ) The customer's key web resources and their approved activities are extensively tested until a Gold Standard behavior mapping is developed. This Gold Standard mapping is then applied to OSI's Security Operations Center (SOC) and monitored round-the-clock. Any deviation from this mapping will trigger flags within OSI's SOC and strict rules of engagement are followed, allowing the customer to act quickly and decisively. Features include, but are not limited to, screenshot rendering changes, HTML source changes, key string monitoring, monitoring against sensitive information disclosure. Virtual Patching Through Vulnerability Scanner Integration Swordfish WAF acts as an external patching tool for systems with known weaknesses and vulnerabilities. OSI engineers create custom rules in order to reduce the window of opportunity. Provided the time needed to patch application vulnerabilities, OSImWAF allows applications to be patched from the outside, without touching the application source code, making the protected systems secure, until a proper patch is produced and deployed. Swordfish WAF combines negative and positive security model in order to identify the evolution of a web application. Analyzing the full HTTP transaction and inspecting the complete requests and

4 Web Fraud Prevention Phishing criminals are getting smarter, whilst their techniques are constantly evolving. Their enhanced efforts continue to generate results from phishing, with the criminals focusing their effort where they can get results. Through the optional integration with FraudWatch, organizations are able to identify and stop fraudulent transactions damaging client's reputation. Monitor Mode Option A full bandwidth of services not just a web application firewall With the high technology inspection, fine-grained decisions can take place, ensuring that only malicious containing transactions are logged without being blocked. In case the positive model is selected, the ruleset created during Learning mode, is used to identify deviations from normal behavior and instantly produce alerts. In case negative security model is selected, the carefully designed ruleset contains a comprehensive set of rules that identify common web application security issues protecting against the latest threats, while taking advantage of the continuous research on OSI Security Labs. In monitor mode, the WAF monitors traffic without blocking malicious activity. Operators are instantly alerted in case of malicious activity in order to manually mitigate the incident. Zero Impact Deployment and Ultra High Performance Swordfish WAF deployment only takes a few minutes to add web sites no matter what technology is used or even no matter the web server platform is used. It is practically deployed by just changing the DNS record of the site to point to the Swordfish WAF farm. In-house setups are also designed with speed-of-deployment in mind. Security Updates and Enhancements The Swordfish WAF Policies are continuously evolving, by taking advantage of the continuous research on new threats appearing on a daily basis on OSI Security Labs. Rules and definitions are getting updated monthly in order to protect Client's valuable Web Applications against the latest threats. In-House Deployment Options Swordfish WAF appliances provide superior performance, scalability, and resiliency for demanding web application environments. To maximize uptime, the Swordfish WAF hardware appliances optionally feature redundant, redundant power supplies, multiple network interfaces and hard drives. Swordfish WAF hardware appliances provide the flexibility, reliability and performance required to support multiple Swordfish WAF instances protecting multiple client's web applications. Swordfish WAF Virtual s take advantage of existing virtualization by integrating with all modern virtualization technologies. Virtual s offer adaptable, reliable and manageable security for organizations of all sizes.

5 SWORDFISH as a Service (SaaS) helps you leverage SWORDFISH Technology without requiring capital expenditures in technology infrastructure or staff training. SWORDFISH as a Service (SaaS) helps you leverage SWORDFISH solutions without requiring capital expenditures in technology infrastructure or staff training. SWORDFISH services can be tailored to your information security model and integrated to your existing security organization and procedures. The look and feel can also be adjusted to address corporate branding and internal marketing requirements. SWORDFISH is also integrated with the Obrela Security Industries Corporate Security Intelligence Services and can be monitored on a real time basis, by leveraging existing Security Operations Centers and Infrastructure. SWORDFISH services can be tailored to your information security model and integrated to your existing security organization and procedures. Swordfish Web Application Firewall is accompanied with a web console providing an instant view on all operations undertaken by the WAF to protect the applications. Traffic statistics are provided to track bandwidth utilization, countries and user agents. Security statistics illustrate an overview of the web firewalling process grouped by threat category, as well as their association with compliance sections such as PCI and SOX. Events that constitute malicious behavior being cleaned are available, along with the endpoint details, headers and rules that were triggered. Administration sections that allows for easy management of various WAF features, dashboards per sites protected, user management and mapping of users to protected applications Multiple Swordfish WAF instances can be managed from within a single Web Console.

6 One-click integration with Corporate Security Intelligence All services provided by Obrela Security Industries are tightly integrated with each other in order to benefit from a multi-dimension protection platform, under a single contract, tailored to each individual requirement or use case. The Swordfish Web Application Security, either deployed As-A-Service (SecSAAS) or in-house (physical or virtual appliance) can be integrated with the Corporate Security Intelligence services providing real-time monitoring of all security aspects utilizing state-of-the-art SIEM deployments. Security event information generated by the Swordfish WAF is being consolidated and reported to our Security Operations Centers (SOC), where it is being correlated & monitored and manually validated on a 24X7 basis. Incidents requiring attention are escalated based on mutually agreed SLA and are monitored until closure via an integrated ticketing system. The integration allows Obrela Security Industries engineers to identify patterns in traffic and correlate behaviors based on statistical models that would be otherwise left unattended. Such cases include identification of business logic vulnerabilities, identification of changes in the underlying web application and evaluation against the behavioral model, live identification of distributed denial of service attacks being formatted or taking place.

7 Specifications As A Service (SecSaaS) V2100 V4100 V8100 A4100 A8100 A12100 Managed Virtual Virtual Virtual Physical Physical Type Service Physical CPU Unlimited 2 Vcores 4 Vcores 8 Vcores 1 x Xeon Quad 2 x Xeon Quad 2 x Xeon Eight Ram (GB) Unlimited Disk (GB) Unlimited Hypervisor Hypervisor Hypervisor Interface N/A depended depended depended 4 x Copper 4 x Copper 4 x Copper Disk redundancy Included N/A N/A N/A Yes Yes Yes PSU redundancy Included N/A N/A N/A Yes Yes Yes Geographic High Availability Relocation Form Factor N/A N/A N/A N/A 1u 1u 1u AC Power V, V, V, Consumption - Heat 60 Hz, 130W, 60 Hz, 225W, Hz, 250W, Output N/A N/A N/A N/A 450BTU/h 750BTU/h 800BTU/h Hardware Support N/A N/A N/A N/A 3 y NBD 3y 4h Response 3y 4h Response Peak Throughput (mbps) Unlimited Web Security Network security Web Console / UI User Interface Deployment Modes Positive Security Model, Negative Security Model, Automatic WebApp learning, Web server & application signatures, HTTP Protocol Abnormalities, Encoding normalization Stateful firewall, DoS prevention Provided Live monitoring, Dashboard Monitoring, Alerting Through ArcSight Web Console Block Mode / Learning Mode / Monitor Mode Session Awareness Yes Yes Yes Yes Yes Yes Yes Reputational Intelligence Yes Yes Yes Yes Yes Yes Yes SSL Inspection Yes Yes Yes Yes Yes Yes Yes Web Resource Surveillance Yes Yes Yes Yes Yes Yes Yes Fraud Protection Optional

8 Virtual Patching Yes Yes Yes Yes Yes Yes Yes DDoS Protection Optional Depending on infrastructure DDoS mitigation capabilities SIEM Integration / 24x7x365 Monitoring Updates Optional Monthly Rules and definitions Major version upgrades every 12 to 18 months. Minor releases (service packs) every 4 to 6 months. Patches are released as needed.

9 Learn More