Just in Time for Black Hat 2018: Summer Product Launch Featuring Power Rules and Network Learning Exchange (NLX)
We’ve just come out of our bi-annual company meeting held at HQ in Culver City, CA and summer is heating up with some exciting product announcements!
The team has been talking with our new customers about how much they love our “set it and forget it” approach to OWASP injection attacks for both visibility AND blocking. But what we’re hearing more and more is how excited they are for the advanced attacks and anomalies we’re able to show them via our Console, as well as, the ability to stop those attacks before they impact the web application and their business.
As a true CI/CD shop, we’ve been releasing the building blocks over the past year to what we’re now thrilled to announce, Power Rules. Power Rules is an incredibly powerful platform with an intuitive user-interface to define, monitor, and take action on any web application or API transaction, providing protection beyond OWASP injection attacks. Signal Sciences automates coverage against common attacks out of the box including OWASP injection attacks by utilizing SmartParse, our proprietary detection technology, without any signature configuring or tuning.
But today’s security leaders care about a lot more than OWASP injection attacks. There are entire classes of attacks that haven’t been addressed by legacy web application firewalls (WAFs) including account takeovers, brute force, credential stuffing, application and feature abuse around orders, transfers, queries, and more.
For advanced coverage of today’s unique, complex abuse and attacks, Power Rules are easy to set up and provide unparalleled flexibility and customization to protect your web applications and services. With Power Rules, there are no regexes to tune and no complicated rules or scripting languages to learn or manage.
Let’s take a quick walkthrough of the components of Power Rules: visibility, actions, and lists.
Power Rules
Start With Signal Visibility
Power Rules enable you to gain visibility into application logic attacks like feature abuse and misuse, account takeover (ATO) attempts, bad bot activity, and more. By using our intuitive user-interface in the Console (also configurable via API), you can define your own Signals with inputs selected from drop-down menus, including user agent, path, method, scheme, post or query parameter, request cookies, and more. ATO is a serious issue facing enterprises today, and Signal Sciences Console offers several templates for popular login and registration workflows to apply Signals to failed and successful attempts, which are displayed in the Console with time-series Dashboards.
By providing simple workflows to instrument these kinds of businesses and application logic, security teams — and the developers and operations — can gain confidence that they’re doing more to protect their business and customer data.
Learn how Glossier is using Power Rules to protect against ATO attacks.
Trigger Automated Actions
Using Signals defined by default or by you, simply add conditions and thresholds to trigger actions to alert and block malicious and anomalous application traffic specific to your web applications and services. This is really where developers come in: developers often know the application workflows best — which are usually difficult to test via scanning tools — and can start to get visibility into the attack surface of the features they’re building, much like they pay attention to how performant their code is through application performance monitoring (APM) tools.
Alert triggers automate push notifications to Slack, PagerDuty, Datadog, Splunk, and more, involving the developers and operations teams in the day-to-day security of your web applications and services. For some actions, you might just want alerts, such as when you exceed a set threshold for TOR traffic; for others, you can set the Power Rule to alert and block, such as surpassing a threshold of failed login attempts.
Augment Signal Visibility with Lists
Using lists, you can augment Signal visibility and trigger conditions with your own trusted data sources, such as third-party feeds. Lists allow you to parameterize Rules with business data you have collected, such as IPs, user agents, countries, wildcards, and more.
Outright Blocking
Basic functions like whitelisting, blacklisting and virtual patching for application CVEs are also configurable using Power Rules drop-down menus in the user-interface as well as via API.
Power Rules are included as part of your Signal Sciences license.
Pretty powerful stuff, if you ask us, and exponentially better than the traditional regex rules from legacy WAFs set up for catching basic SQLi and XSS attacks. Ok, (puns aside for now) moving onto another impactful feature that grows stronger as our customer base increases: Signal Sciences NLX, which stands for Network Learning Exchange.
Signal Sciences NLX
Strength in Numbers
Web application attacks account for 41% of breaches according to this year’s Verizon Digital Breach Investigation Report. Often, attackers targeting your web applications today are using automation tools to probe and target many websites without trying very hard. That’s what our founders saw early on at Etsy before they started Signal Sciences: attackers opening a terminal window with hundreds of URLs they would swap into their attack tools using automation. But what if you could have advanced warning of malicious activity elsewhere in the Signal Sciences network based on data from your peers? You could prevent attackers from stealing your business and customer data, much like a warning there’s a tornado in your area, but with a lot more power and time to prevent it from harming you.
How does it work?
Signal Sciences Cloud Engine collects anonymized attack data from tens of thousands of our distributed software agents, and learns by correlating patterns to form NLX to provide advanced warning of malicious activity.
Powered by intelligence derived Signal Sciences’ network of customers large and small — spanning leading media, technology, finance and healthcare verticals — NLX shares malicious IP sources within Signal Sciences Console, alerting you to suspicious actors before they are a threat to your sites.
Accurate Intelligence From Trusted Sources
NLX is a trusted, accurate IP reputation feed based on confirmed malicious activity collected from Signal Sciences customers — 95% of whom are running in blocking mode to stop attacks.
Because of our accurate detections, NLX is uniquely able to recognize attack patterns and identify potential threats before they become malicious on other sites protected by Signal Sciences.
Enriched Agent Intelligence Without False Positives
Unlike other crowd-sourced threat intelligence services, NLX doesn’t send generic signatures that can cause false positives if implemented, but instead alerts on confirmed malicious sources detected via our proprietary SmartParse technology. SmartParse leverages the intelligence and analysis of NLX to automatically enrich its dynamic, application specific detections made at the agent, providing not only advanced warning, but ongoing, augmented intelligence for enhanced protection of your sites.
Leveraging Power Rule for Automated Blocking
The NLX Signal can be used to trigger alerting and blocking actions via Power Rules, allowing you to automate actions based on NLX as a trusted source.
NLX is included as a part of your Signal Sciences license.
In Summary
With Power Rules and NLX, our customers are able to broaden their ability to see, secure and scale their web defense more easily than ever before. We look forward to continued conversations and new use cases we’ll hear from you!
We’ll be at Black Hat next week, showing these features & more in Booth 1329 in the main expo hall. Read our blog post for more details around how to find us!
Originally published at labs.signalsciences.com.
