Solutions.

Attack
mitigation Credential
stuffing API Protection Vulnerability
discovery Perimeter
scanning Analytics/
prioritization

Attack
mitigation

Enterprise-Grade Web Application Firewall

Instant protection against SQL injection, cross-site scripting, illegal resource access, remote code execution, remote file inclusion and other OWASP Top-10 threats. Granular blocking on API level minimizes impact on legitimate traffic.

Adaptive Security Rules defined by Machine Learning

Wallarm continuously analyzes stateless web application and API traffic to profile application protocols, API logic, data boundaries and user behavior. These profiles allow Wallarm to detect anomalies in application requests or payloads and automatically flag them. Applications evolve over time, so do the profiles. Wallarm security rules evolve with the applications.

Minimal False Positives

Unlike signature-based WAFs, security rules used by Wallarm are derived specifically for the application under protection and supplemented from the Wallarm knowledge base of applications with similar profiles. Wallarm continuously updates security rules, thus minimizing false-positives and insuring your application is protected even when the environment or the application itself changes.

Credential
stuffing

Protecting from botnets and password reuse

Bots are tiny automated agents that run on other people’s computers and devices without the owner knowing it is happening. A typical botnet credentials attack can include as many as 25K-100K agents or bots.

A successful attack can inflict material damage on the affected company or service. One of the more frequent targets of botnet attacks is credentials stuffing - attempting to re-use credentials stolen from other services to access the application.

While the fundamentals of credentials stuffing are well known to security and operational professionals, stopping it is not an easy matter.

In many cases (as much as 90%) attackers tend to run credential stuffing attacks against APIs for mobile clients, where common prevention methods such as CAPTCHA are difficult to implement
Botnet driven attacks are so massive (it can take as many as 100k IPs botnet network proxies) they often result in DoS, Especially if company user authentication is somehow connected to additional software (e.g. CRM).
Unlike traditional password bruteforce, credentials stuffing attacks are fast: even one or two seconds window is enough to make dozens of attempts. This speed of attack is no match to typical home-grown methods of defense such as limiting request-rate, fail2ban scripts and such.

Wallarm tracks attempts and exports usernames likely to be compromised to customer's anti-fraud team. To achieve almost instant protection, Wallarm also exports suspicious IP addresses to the perimeter firewall. Beyond immediate credentials security, Wallarm’s ability to distinguish a human actor from a bot without CAPTCHA dramatically improves user sign-in experience and user retention.

API Protection

Protect APIs

Wallarm’s detection, behavioral analysis, syntax learning, and selective blocking features make it an excellent choice for run-time API monitoring and protection. We are able to address five key challenges of the API protection:

Decode XML, JSON, Base64 encoded and nested protocols
Distinguish between legitimate and malicious payloads
Distinguish between legitimate and malicious bots/automation
Protect east-west traffic in microservices applications
Protect RESTful and other APIs where clients are mobile apps

Vulnerability
discovery

What’s a vulnerability

Security vulnerability is a flaw in one of the software components or infrastructure configurations which can be exploited by an attacker to get access to sensitive data, obtain unauthorized service or corrupt the system. The process of discovering, classifying and mitigating vulnerabilities is called vulnerability management. There are many dedicated tools, whose purpose it is to periodically scan for vulnerabilities, for example, as part of penetration testing. However, very few of these tools implement on-going vulnerability management.

Wallarm Active Vulnerability Detection

Active scanning for vulnerabilities is what allows Wallarm to provide the level of application security above and beyond most WAF solutions.

Wallarm active vulnerability scanner relies on the application profile and structure that is derived by machine learning / AI from the analysis of the application traffic. This approach allows Wallarm to forgo crawling. It provides broader coverage and is lighter weight than simulating a browser and attempting to discover every part of the application logic.

Wallarm Passive Vulnerability Detection

In many cases, understanding of traffic patterns and application profiles is sufficient to detect a possible vulnerability. A good example is a path traversal attack attempting to read /etc/passwd file and actually getting access to this file's content. Wallarm compares attack vectors in http requests with notable features of http responses while monitoring application http traffic.

Perimeter
scanning

Network discovery

Understanding network perimeter and assets that are visible to the outside world is critical to strong security practices. As companies develop, new deployments arise, driven by M&A processes or shadow IT. A number of exposed assets keep growing while management of these assets is not always adequate. These assets can be both internal within multiple company datacenters and external located at an external hosting providers or just an application service used by marketing.

Attackers look for the “weakest link” - least protected resource on the corporate perimeter, thus finding a foothold to start an attack on the entire domain, particularly if they are able to intercept a domain authentication cookie or a certificate.

Wallarm utilizes many techniques commonly used by experienced auditors and pen testers, including dictionary domain scanning, regular and reverse DNS lookup, search engines indexes and search across various public sources. Once the IP address are determined, Wallarm continues the discovery process with port scanning and detecting services that are accessible on those ports.

As a result of perimeter scanning, Wallarm generates a map of domains and IP addresses of all the assets, including on-line services under the same domain accessible from the internet.

Analytics/
prioritization

Aggressive Internet Environment

Detecting attacks is only the first phase of Wallarm’s security service. To figure out which attacks can result in actual exploits, Wallarm actively replays attacks against the application.

The effect is that the attacker's own “hacker intelligence” provides the needed “know how” to find the vulnerability in the application and understand which attacks can in fact result in security incidents.

When replaying attacks, Wallarm always uses anonymous sessions, making sure to negate Cookie, Basic auth and API keys to avoid negatively affecting the application. Attack vectors are sanitized to remove potentially dangerous instructions and exploits, to ensure the application function is not compromised.

To further characterize the attack, Wallarm analyzes attack’s nature and character, not just their sources. We detect if the attacker has changed his IP addresses but continues the same attack. We see if a scanner uses a distributed network with multiple external addresses. To account for this, we have developed an aggregated metric, which helps to correlate attacks with the respective business risks. To quantify this risk, Wallarm uses “cost of attack” metrics. Attacks with a higher 'cost of attack' need to be addressed first.