Lucene search

K
impervablogShelly HershkovitzIMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334
HistoryApr 26, 2018 - 7:01 p.m.

Keeping Your WAF Relevant: Emergency Feed Pushes New Mitigations in Just Hours

2018-04-2619:01:59
Shelly Hershkovitz
www.imperva.com
601

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

We previously reported that the overall number of new web application vulnerabilities in 2017 showed a 212% increase from 2016’s 6,615 to a whopping 14,082. This spike was due, in part, to high-profile vulnerabilities like Heartbleed, Shellshock, POODLE, Apache Struts 2 and more recently, Meltdown and Spectra.

There is, however, good news in the form of a new tool tasked with pushing mitigations for high-profile vulnerabilities like these to the SecureSphere Web Application Firewall (WAF) within a matter of hours.

Ongoing Vulnerability Protection

Tasking your security team with analyzing each and every vulnerability, deciding their relevance and applying the necessary mitigations is near impossible, which is why virtual patching of your WAF is so important. Not updating your WAF regularly is like wearing your old 80s jeans thinking you’re still cool…you’re not. Imperva regularly releases mitigations for new vulnerabilities.

> In today’s tech landscape, where constantly up-leveled cyberattacks are one of the most prominent threats to corporate assets, timing is everything.

Once a vulnerability is published it’s only a matter of time until attackers will exploit it. It only takes a few hours for high-quality code snippets to be published and by then, every script-kiddy has had the opportunity to run them against whomever they choose. In the case of a 2017 Apache Struts vulnerability, for example, an official exploit was made public one day after the vulnerability was announced. Clearly, updating mitigations only once every few weeks is not enough.

The Answer: An Emergency Feed

Imperva has incorporated an emergency feed into our ThreatRadar subscription service as an extension of our WAF, which allows Imperva security researchers to push mitigations for high-profile vulnerabilities to the WAF in just a matter of hours. Our goal is to push mitigations via the emergency feed in no less than 24 hours from the time of the vulnerability’s publication, so whether a new vulnerability hits the landscape in the middle of the night or your entire security team is on vacation, your WAF estate is protected.

So, how do we do it?

To apply mitigation through the emergency feed, a vulnerability must be remotely exploited, operational without authentication and have the potential to be highly impactful. In these cases, Imperva researchers analyze the vulnerability, understand its scope, and create the appropriate mitigation. The mitigation is then run through a wide set of Incapsula and SecureSphere customers, on real-world data, to observe its false positive rate and search for the vulnerabilities’ variations. Only when our researchers are convinced that the new mitigation is stable and reliable will they push it into the emergency feed.

Simply put, in just a few hours, all of Imperva’s customers on Incapsula and SecureSphere WAFs are fully protected. The best part? There’s no action required by your in-house security team. As soon as they’re back in the office they have access to a report summarizing the nature of the vulnerability and the mitigation applied.

Included with ThreatRadar Subscription

If you’re a SecureSphere customer with a ThreatRadar subscription, the emergency feed is included and takes only a few clicks to enable. Incapsula customers receive this service out of the box – no registration required.

For SecureSphere customers with ThreatRadar subscription:

  1. Check the Emergency Feed box on the customer portal to register.

  1. In the Imperva SecureSphere WAF dashboard, enable the Emergency Feed services under the ThreatRadar tab.

That’s it. The emergency feed is enabled and will begin receiving new mitigations immediately. With each content update, our researchers will remove the most recent mitigations from the emergency feed and permanently add them to your SecureSphere WAF, so your system is updated. You will be notified of updates via email.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Related for IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334