Imperva SecureSphere - ThreatRadar

Overview:

Hackers are becoming more industrialized and well resourced. Sophisticated criminals are
leveraging networks of remotely-controlled computers, or bots, to launch large-scale
automated attacks. Effective attack mitigation requires identifying known malicious
sources and adapting to continuously changing attack locations and techniques.

ThreatRadar is a unique add-on security service for SecureSphere Web Application
Firewall (WAF) that provides an automated defense against automated attacks.
By integrating credible, timely information on known attack sources into the
WAF defense, ThreatRadar can quickly and accurately stop traffic from malicious
sources before an attack can be launched.

Web Security

Key Capabilities :

Aggregates reputation data from the foremost commercial and non-commercial
providers to identify:
- Malicious IP addresses
- Anonymous proxies
- TOR Networks
- Phishing URLs
Visualizes attack location and summarizes reputation data with integrated forensics tool
Protects against automated and botnet attacks
Offers near real-time feeds of global reputation data
Instantly updates SecureSphere Web Application Firewall policies based on current attack data

Features:

Track Attack Sources on a Global Scale

Leveraging the security community collective insight, centralized ThreatRadar servers aggregate information on attack sources from credible data providers. ThreatRadar protects against:

Malicious Sources: traffic sources that have repeatedly performed malicious activity on other Web applications. To date, over ten million botnets have executed attacks on behalf of remote hackers.
Anonymous Proxies: traffic sources that use anonymous proxies. By hiding the identity of the traffic source, anonymous proxies are often exploited by hackers to launch attacks.
The Onion Router (TOR) Networks: traffic source that use TOR networks to launch attacks without revealing their identity and location.
Phishing URLs: real-time alerting on phishing incidents against the customer domain.

By understanding attempted attacks on other websites, SecureSphere WAFs can identify botnet or distributed attacks--attacks that may be difficult to identify based only on the characteristics of the Web request.

Continuous, Automated Feed of Current Attack Sources

ThreatRadar servers deliver an integrated attack source feed, in near real time, to all ThreatRadar-powered SecureSphere WAFs. ThreatRadar is fully maintained by Imperva and eliminates the manual effort required to identify, subscribe, and maintain these security feeds. ThreatRadar continuously refreshes the feed, providing up-to-date protection against malicious traffic.

Threat Radar

Dynamically Adapt Web Security Policies

As SecureSphere WAF receives attack source information, ThreatRadar dynamically adjusts Web security policies to alert or block traffic from newly identified attack sources. Furthermore, custom security rules can use information provided by the feeds to fine-tune the response for specific types of traffic, such as the ability to block only the traffic that comes from a malicious source exhibiting suspicious behavior.

Early Detection, Blocking of Malicious Sources

ThreatRadar increases the accuracy of SecureSphere WAF and dramatically reduces application visibility to attackers. By blocking access requests based on traffic source reputation, hackers have virtually no opportunity to explore the Web application for possible weaknesses and are less likely to launch a successful attack.

Streamlined Forensic Analysis and Attack Source Intelligence

ThreatRadar removes the guesswork out of event analysis by providing greater operational insight into attacker origins and methods. Source information such as malicious IP address and geographic location of the attack provides additional context on attackers enabling precise incident response procedures and minimizing operational workload.

Deployment:

Market-Leading Web Application Security

More organizations rely on Imperva to protect their critical Web applications than any other vendor. With drop-in deployment and low administrative overhead, SecureSphere provides a practical and highly secure solution to

Multiple Deployment Options

Transparent Layer 2 Bridge: Drop-in deployment and industry-best performance
Reverse Proxy and Transparent Proxy: Content modification, such as cookie signing and URL rewriting
Non-inline Monitor: Zero risk monitoring and forensics
High Availability: IMPVHA, VRRP, fail open interfaces, existing redundancy options, non-inline deployment

Web Application Security Deployment

Specifications:

Specification	Description
Malicious Sources	Malicious IP Addresses Anonymous Proxy Servers The Onion Router (TOR) Networks
Malicious URLs	Phishing URLs
Forensics	Geo-location of source IP Reputation of source IP
Communications to ThreatRadar servers	SSL encrypted communications between ThreatRadar cloud servers, MX Management server and SecureSphere gateways
Security Feed Updates	Continuous updates; frequency ranges from near real time to daily depending on feed type and configuration
Data Feed Sources	Commercial and non-commercial providers of malicious sources Commercial provider of phishing URLs Commercial provider of geo-location data Imperva Application Defense Center (ADC) provides malicious sources, scores and validates feeds, and maintains a Global trusted IP list
SecureSphere Integration	Pre-defined and custom SecureSphere security policies SNMP Syslog Email Incident management ticketing integration Custom followed action Pre-defined and custom graphical reports Real-time dashboard
Supported Products	SecureSphere Web Application Firewall